Dynamics 365 Business Central: How to list all permissions (all users with permission sets or all permission sets with permissions…)

Dynamics 365 Business Central

Hi, Readers.
Today, I want to talk about how to list all permissions in Business Central. As you know, sometimes we need to export a list of all permissions from the ERP system for internal permissions management or for internal and external audits. Such as list all users with permission sets or list all permission sets with permissions, etc.

Permission Management

First, let us look at the basic features of permission management in Business Central.
The structure of permissions in Business Central is shown below. (User groups can be skipped)
Permissions -> Permission Sets -> User Groups -> Users
PS: Business Central 2023 wave 1 (BC22) new features: Manage user permissions using Azure Active Directory security groups (‘User Group’ -> ‘Security Group’)

1. Permissions -> Permission Sets
Enter Permission Sets in Tell me, and then choose the related link.

Permission Sets:

After choosing Permissions action, you can find all permissions of permission set you selected.

2. Permission Sets -> User Groups
Enter User Groups in Tell me, and then choose the related link.

User Groups:

After choosing User Group Permission Sets action, you can find all permission sets of User Groups you selected.

3. Permission Sets -> User Groups -> Users
Enter Usersin Tell me, and then choose the related link.

Choose Edit.

Then you can find User Groups and Permission Sets on User Card page.

After choosing Effective Permissions action, you can find all permissions of User you selected.

List all permissions

1.List all permission sets with permissions (Permission Sets <- Permissions)

If you use the standard features, you must open each permission set to see the details of the permissions in it. So how to see all the permissions at once without opening each permission set?
In fact, there is a system table ‘Permission (2000000005)‘ that holds all the detailed information.

So you can force Business Central to run the Permissiontable by adding the ?table=2000000005 parameter to the URL, such as in the following example: 
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=2000000005

Then you can get the list like following.

Role IDRole NameObject TypeObject IDObject NameRead PermissionInsert PermissionModify PermissionDelete PermissionExecute PermissionSecurity FilterSystem IDCreated AtCreated ByModified AtModified By
D365 ACC. RECEIVABLEDyn. 365 Accounts receivableTable Data7380Phys. Invt. Item SelectionYesYesYesYes {4b9b18c1-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ACC. RECEIVABLEDyn. 365 Accounts receivableTable Data99000800Sales Planning LineYesIndirectIndirectIndirect {769b18c1-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ACCOUNTANTSDynamics 365 for AccountantsTable Data18CustomerYesYesYesYes {f0ac18c1-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ACCOUNTANTSDynamics 365 for AccountantsTable Data21Cust. Ledger EntryYes {f2ac18c1-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}

You can also use this table to create a new page to display them.

2.List all User Groups with permission sets (User Groups <- Permission Sets)

Similar to the above, for the User Groups, there is another table ‘User Group Permission Set (9003)‘ in Business Central.

You can force Business Central to run the User Group Permission Settable by adding the ?table=9003 parameter to the URL, such as in the following example: 
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=9003

Then you can get the list like following.

User Group CodePermission SetUser Group NameNameApp IDScopeExtension NameSystem IDCreated AtCreated ByModified AtModified By
D365 ACCOUNTANTSD365 ACCOUNTANTSDynamics 365 for AccountantsDynamics 365 for Accountants{00000000-0000-0000-0000-000000000000}System {23bc40c7-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ACCOUNTANTSD365 BASICDynamics 365 for AccountantsDynamics 365 Basic access{00000000-0000-0000-0000-000000000000}System {24bc40c7-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ACCOUNTANTSD365 JOBS, EDITDynamics 365 for AccountantsDynamics 365 Create Jobs{00000000-0000-0000-0000-000000000000}System {25bc40c7-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ADMINISTRATORD365 BASICCreate and set up companiesDynamics 365 Basic access{00000000-0000-0000-0000-000000000000}System {cfbb40c7-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}
D365 ADMINISTRATORD365 COSTACC, SETUPCreate and set up companiesDyn. 365 Setup Cost Accounting{00000000-0000-0000-0000-000000000000}System {d7bb40c7-6650-eb11-bb50-000d3a2b981f}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}1/7/2021 6:33 AM{00000000-0000-0000-0000-000000000001}

3.List all Users with User Groups (Users -< User Groups)

This time we are going to use table ‘User Group Member (9001)‘ in Business Central.

You can force Business Central to run the User Group Membertable by adding the ?table=9001 parameter to the URL, such as in the following example: 
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=9001

Then you can get the list like following.

User Group CodeUser Security IDCompany NameUser NameUser Full NameUser Group NameSystem IDCreated AtCreated ByModified AtModified By
D365 BUS PREMIUM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}My CompanyADMINMOD AdministratorD365 Premium Business Access{4609fe2f-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
D365 INTERNAL ADMIN{2f26eb5e-b85a-484c-b5ed-79099bf98a89}My CompanyADMINMOD AdministratorExport data{0309fe2f-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
EXCEL EXPORT ACTION{2f26eb5e-b85a-484c-b5ed-79099bf98a89}My CompanyADMINMOD AdministratorD365 Excel Export Action{3209fe2f-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
D365 BUS PREMIUM{85422c32-2779-463b-8164-14539bf8ac8b}My CompanyYZHUYUN ZHUD365 Premium Business Access{5f1d6dc7-ac5a-eb11-af24-002248558a5a}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
D365 FINANCE{85422c32-2779-463b-8164-14539bf8ac8b}My CompanyYZHUYUN ZHURead and write finance data{dec28ec4-a05f-eb11-af24-002248558a5a}1/26/2021 3:36 PM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/26/2021 3:36 PM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}

4.List all Users with permission sets (Permission Sets -> Users)

This time we are going to use table ‘Access Control (2000000053)‘ in Business Central.

You can force Business Central to run the Access Controltable by adding the ?table=2000000053 parameter to the URL, such as in the following example: 
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=2000000053

Then you can get the list like following.

User Security IDRole IDCompany NameUser NameRole NameScopeApp IDApp NameSystem IDCreated AtCreated ByModified AtModified By
{2f26eb5e-b85a-484c-b5ed-79099bf98a89}D365 BUS PREMIUMMy CompanyADMINDyn. 365 Prem. Bus. Full Acc.0{00000000-0000-0000-0000-000000000000} {4e09fe2f-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
{2f26eb5e-b85a-484c-b5ed-79099bf98a89}EXCEL EXPORT ACTIONMy CompanyADMIND365 Excel Export Action0{00000000-0000-0000-0000-000000000000} {3a09fe2f-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/14/2021 8:36 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
{2f26eb5e-b85a-484c-b5ed-79099bf98a89}SUPER ADMINThis role has all permissions.0{00000000-0000-0000-0000-000000000000} {5fad8029-f855-eb11-af24-0022485587e4}1/14/2021 8:36 AM{00000000-0000-0000-0000-000000000001}1/14/2021 8:36 AM{00000000-0000-0000-0000-000000000001}
{4d838caf-1476-4de9-8e9d-861e93e7f82b}D365 BUS PREMIUMMy CompanyZHUYUNDyn. 365 Prem. Bus. Full Acc.0{00000000-0000-0000-0000-000000000000} {2a1d6dc7-ac5a-eb11-af24-002248558a5a}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}
{4d838caf-1476-4de9-8e9d-861e93e7f82b}EXCEL EXPORT ACTIONMy CompanyZHUYUND365 Excel Export Action0{00000000-0000-0000-0000-000000000000} {4d1d6dc7-ac5a-eb11-af24-002248558a5a}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}1/20/2021 8:19 AM{2f26eb5e-b85a-484c-b5ed-79099bf98a89}

5. If you want to combine these data, you need to do some simple development.

For example: Users <- Permission Sets <- Permissions
(just for reference only)

Create a new table.

Source Code:

table 50111 EffectivePermissionList
{
    DataClassification = CustomerContent;
    TableType = Temporary;

    fields
    {
        field(1; LineNo; Integer)
        {
            Caption = 'Line No.';
            DataClassification = CustomerContent;
        }
        field(2; "User Security ID"; Guid)
        {
            Caption = 'User Security ID';
            TableRelation = User."User Security ID";
        }
        field(3; "Role ID"; Code[20])
        {
            Caption = 'Role ID';
            TableRelation = "Aggregate Permission Set"."Role ID";
        }
        field(4; "Company Name"; Text[30])
        {
            Caption = 'Company Name';
            TableRelation = Company.Name;
        }
        field(5; "User Name"; Code[50])
        {
            Caption = 'User Name';
        }
        field(6; "Role Name"; Text[30])
        {
            Caption = 'Role Name';
        }
        field(7; "App Name"; Text[250])
        {
            Caption = 'App Name';
        }
        field(8; "Object Type"; Option)
        {
            Caption = 'Object Type';
            OptionMembers = "Table Data","Table",,"Report",,"Codeunit","XMLport","MenuSuite","Page","Query","System",,,,,,,,,;
            OptionCaption = 'Table Data,Table,,Report,,Codeunit,XMLport,MenuSuite,Page,Query,System,,,,,,,,,';
        }
        field(9; "Object ID"; Integer)
        {
            Caption = 'Object ID';
        }
        field(10; "Object Name"; Text[249])
        {
            Caption = 'Object Name';
        }
        field(11; "Read Permission"; Option)
        {
            Caption = 'Read Permission';
            InitValue = Yes;
            OptionCaption = ' ,Yes,Indirect';
            OptionMembers = " ",Yes,Indirect;
        }
        field(12; "Insert Permission"; Option)
        {
            Caption = 'Insert Permission';
            InitValue = Yes;
            OptionCaption = ' ,Yes,Indirect';
            OptionMembers = " ",Yes,Indirect;
        }
        field(13; "Modify Permission"; Option)
        {
            Caption = 'Modify Permission';
            InitValue = Yes;
            OptionCaption = ' ,Yes,Indirect';
            OptionMembers = " ",Yes,Indirect;
        }
        field(14; "Delete Permission"; Option)
        {
            Caption = 'Delete Permission';
            InitValue = Yes;
            OptionCaption = ' ,Yes,Indirect';
            OptionMembers = " ",Yes,Indirect;
        }
        field(15; "Execute Permission"; Option)
        {
            Caption = 'Execute Permission';
            InitValue = Yes;
            OptionCaption = ' ,Yes,Indirect';
            OptionMembers = " ",Yes,Indirect;
        }
    }

    keys
    {
        key(PK; LineNo)
        {
            Clustered = true;
        }
    }
}

Create a new page to show the table.

Collect data.

Source Code:

page 50111 "New Permission List"
{

    ApplicationArea = All;
    Caption = 'User Effective Permission List';
    PageType = List;
    SourceTable = EffectivePermissionList;
    UsageCategory = Lists;

    layout
    {
        area(content)
        {
            repeater(General)
            {
                field("User Security ID"; Rec."User Security ID")
                {
                    ApplicationArea = All;
                }
                field("User Name"; Rec."User Name")
                {
                    ApplicationArea = All;
                }
                field("Company Name"; Rec."Company Name")
                {
                    ApplicationArea = All;
                }
                field("App Name"; Rec."App Name")
                {
                    ApplicationArea = All;
                }
                field("Role ID"; Rec."Role ID")
                {
                    ApplicationArea = All;
                }
                field("Role Name"; Rec."Role Name")
                {
                    ApplicationArea = All;
                }
                field("Object Type"; Rec."Object Type")
                {
                    ApplicationArea = All;
                }
                field("Object ID"; Rec."Object ID")
                {
                    ApplicationArea = All;
                }
                field("Object Name"; Rec."Object Name")
                {
                    ApplicationArea = All;
                }
                field("Read Permission"; Rec."Read Permission")
                {
                    ApplicationArea = All;
                }
                field("Modify Permission"; Rec."Modify Permission")
                {
                    ApplicationArea = All;
                }
                field("Insert Permission"; Rec."Insert Permission")
                {
                    ApplicationArea = All;
                }
                field("Execute Permission"; Rec."Execute Permission")
                {
                    ApplicationArea = All;
                }
                field("Delete Permission"; Rec."Delete Permission")
                {
                    ApplicationArea = All;
                }
            }
        }
    }

    trigger OnOpenPage()
    var
        AccessControl: Record "Access Control";
        RecPermission: Record Permission;
    begin
        AccessControl.Reset();
        AccessControl.SetAutoCalcFields("Role Name", "User Name");
        Rec.LineNo := 0;
        if AccessControl.FindSet() then
            repeat
                RecPermission.Reset();
                RecPermission.SetRange("Role ID", AccessControl."Role ID");
                RecPermission.SetAutoCalcFields("Object Name");
                if RecPermission.FindSet() then
                    repeat
                        Rec.LineNo := Rec.LineNo + 1;
                        Rec.Init();
                        Rec."User Security ID" := AccessControl."User Security ID";
                        Rec."Role ID" := AccessControl."Role ID";
                        Rec."Role Name" := AccessControl."Role Name";
                        Rec."Company Name" := AccessControl."Company Name";
                        Rec."User Name" := AccessControl."User Name";
                        Rec."App Name" := AccessControl."App Name";
                        Rec."Object Type" := RecPermission."Object Type";
                        Rec."Object ID" := RecPermission."Object ID";
                        Rec."Object Name" := RecPermission."Object Name";
                        Rec."Insert Permission" := RecPermission."Insert Permission";
                        Rec."Modify Permission" := RecPermission."Modify Permission";
                        Rec."Execute Permission" := RecPermission."Execute Permission";
                        Rec."Delete Permission" := RecPermission."Delete Permission";
                        Rec."Read Permission" := RecPermission."Read Permission";
                        Rec.Insert();
                    until RecPermission.Next() = 0;
            until AccessControl.Next() = 0;
    end;
}

Test Video:

Update: How to change default User Groups for new Business Central users (User Group Plan)

END

Hope this will help.

Thanks for reading.

ZHU

コメント

Copied title and URL