Hi, Readers.
Today, I want to talk about how to list all permissions in Business Central. As you know, sometimes we need to export a list of all permissions from the ERP system for internal permissions management or for internal and external audits. Such as list all users with permission sets or list all permission sets with permissions, etc.
Permission Management
First, let us look at the basic features of permission management in Business Central.
The structure of permissions in Business Central is shown below. (User groups can be skipped)
Permissions -> Permission Sets -> User Groups -> Users
PS: Business Central 2023 wave 1 (BC22) new features: Manage user permissions using Azure Active Directory security groups (‘User Group’ -> ‘Security Group’)
1. Permissions -> Permission Sets
Enter Permission Sets in Tell me, and then choose the related link.
Permission Sets:
After choosing Permissions action, you can find all permissions of permission set you selected.
2. Permission Sets -> User Groups
Enter User Groups in Tell me, and then choose the related link.
User Groups:
After choosing User Group Permission Sets action, you can find all permission sets of User Groups you selected.
3. Permission Sets -> User Groups -> Users
Enter Usersin Tell me, and then choose the related link.
Choose Edit.
Then you can find User Groups and Permission Sets on User Card page.
After choosing Effective Permissions action, you can find all permissions of User you selected.
List all permissions
1.List all permission sets with permissions (Permission Sets <- Permissions)
If you use the standard features, you must open each permission set to see the details of the permissions in it. So how to see all the permissions at once without opening each permission set?
In fact, there is a system table ‘Permission (2000000005)‘ that holds all the detailed information.
So you can force Business Central to run the Permissiontable by adding the ?table=2000000005 parameter to the URL, such as in the following example:
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=2000000005
Then you can get the list like following.
Role ID | Role Name | Object Type | Object ID | Object Name | Read Permission | Insert Permission | Modify Permission | Delete Permission | Execute Permission | Security Filter | System ID | Created At | Created By | Modified At | Modified By |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
D365 ACC. RECEIVABLE | Dyn. 365 Accounts receivable | Table Data | 7380 | Phys. Invt. Item Selection | Yes | Yes | Yes | Yes | {4b9b18c1-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | ||
D365 ACC. RECEIVABLE | Dyn. 365 Accounts receivable | Table Data | 99000800 | Sales Planning Line | Yes | Indirect | Indirect | Indirect | {769b18c1-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | ||
D365 ACCOUNTANTS | Dynamics 365 for Accountants | Table Data | 18 | Customer | Yes | Yes | Yes | Yes | {f0ac18c1-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | ||
D365 ACCOUNTANTS | Dynamics 365 for Accountants | Table Data | 21 | Cust. Ledger Entry | Yes | {f2ac18c1-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} |
You can also use this table to create a new page to display them.
2.List all User Groups with permission sets (User Groups <- Permission Sets)
Similar to the above, for the User Groups, there is another table ‘User Group Permission Set (9003)‘ in Business Central.
You can force Business Central to run the User Group Permission Settable by adding the ?table=9003 parameter to the URL, such as in the following example:
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=9003
Then you can get the list like following.
User Group Code | Permission Set | User Group Name | Name | App ID | Scope | Extension Name | System ID | Created At | Created By | Modified At | Modified By |
---|---|---|---|---|---|---|---|---|---|---|---|
D365 ACCOUNTANTS | D365 ACCOUNTANTS | Dynamics 365 for Accountants | Dynamics 365 for Accountants | {00000000-0000-0000-0000-000000000000} | System | {23bc40c7-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | |
D365 ACCOUNTANTS | D365 BASIC | Dynamics 365 for Accountants | Dynamics 365 Basic access | {00000000-0000-0000-0000-000000000000} | System | {24bc40c7-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | |
D365 ACCOUNTANTS | D365 JOBS, EDIT | Dynamics 365 for Accountants | Dynamics 365 Create Jobs | {00000000-0000-0000-0000-000000000000} | System | {25bc40c7-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | |
D365 ADMINISTRATOR | D365 BASIC | Create and set up companies | Dynamics 365 Basic access | {00000000-0000-0000-0000-000000000000} | System | {cfbb40c7-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | |
D365 ADMINISTRATOR | D365 COSTACC, SETUP | Create and set up companies | Dyn. 365 Setup Cost Accounting | {00000000-0000-0000-0000-000000000000} | System | {d7bb40c7-6650-eb11-bb50-000d3a2b981f} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} | 1/7/2021 6:33 AM | {00000000-0000-0000-0000-000000000001} |
3.List all Users with User Groups (Users -< User Groups)
This time we are going to use table ‘User Group Member (9001)‘ in Business Central.
You can force Business Central to run the User Group Membertable by adding the ?table=9001 parameter to the URL, such as in the following example:
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=9001
Then you can get the list like following.
User Group Code | User Security ID | Company Name | User Name | User Full Name | User Group Name | System ID | Created At | Created By | Modified At | Modified By |
---|---|---|---|---|---|---|---|---|---|---|
D365 BUS PREMIUM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | My Company | ADMIN | MOD Administrator | D365 Premium Business Access | {4609fe2f-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
D365 INTERNAL ADMIN | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | My Company | ADMIN | MOD Administrator | Export data | {0309fe2f-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
EXCEL EXPORT ACTION | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | My Company | ADMIN | MOD Administrator | D365 Excel Export Action | {3209fe2f-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
D365 BUS PREMIUM | {85422c32-2779-463b-8164-14539bf8ac8b} | My Company | YZHU | YUN ZHU | D365 Premium Business Access | {5f1d6dc7-ac5a-eb11-af24-002248558a5a} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
D365 FINANCE | {85422c32-2779-463b-8164-14539bf8ac8b} | My Company | YZHU | YUN ZHU | Read and write finance data | {dec28ec4-a05f-eb11-af24-002248558a5a} | 1/26/2021 3:36 PM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/26/2021 3:36 PM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
4.List all Users with permission sets (Permission Sets -> Users)
This time we are going to use table ‘Access Control (2000000053)‘ in Business Central.
You can force Business Central to run the Access Controltable by adding the ?table=2000000053 parameter to the URL, such as in the following example:
https://businesscentral.dynamics.com/d8f36038-1f93-4543-affc-5dc92b6ee871/Sandbox02?table=2000000053
Then you can get the list like following.
User Security ID | Role ID | Company Name | User Name | Role Name | Scope | App ID | App Name | System ID | Created At | Created By | Modified At | Modified By |
---|---|---|---|---|---|---|---|---|---|---|---|---|
{2f26eb5e-b85a-484c-b5ed-79099bf98a89} | D365 BUS PREMIUM | My Company | ADMIN | Dyn. 365 Prem. Bus. Full Acc. | 0 | {00000000-0000-0000-0000-000000000000} | {4e09fe2f-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | |
{2f26eb5e-b85a-484c-b5ed-79099bf98a89} | EXCEL EXPORT ACTION | My Company | ADMIN | D365 Excel Export Action | 0 | {00000000-0000-0000-0000-000000000000} | {3a09fe2f-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/14/2021 8:36 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | |
{2f26eb5e-b85a-484c-b5ed-79099bf98a89} | SUPER | ADMIN | This role has all permissions. | 0 | {00000000-0000-0000-0000-000000000000} | {5fad8029-f855-eb11-af24-0022485587e4} | 1/14/2021 8:36 AM | {00000000-0000-0000-0000-000000000001} | 1/14/2021 8:36 AM | {00000000-0000-0000-0000-000000000001} | ||
{4d838caf-1476-4de9-8e9d-861e93e7f82b} | D365 BUS PREMIUM | My Company | ZHUYUN | Dyn. 365 Prem. Bus. Full Acc. | 0 | {00000000-0000-0000-0000-000000000000} | {2a1d6dc7-ac5a-eb11-af24-002248558a5a} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | |
{4d838caf-1476-4de9-8e9d-861e93e7f82b} | EXCEL EXPORT ACTION | My Company | ZHUYUN | D365 Excel Export Action | 0 | {00000000-0000-0000-0000-000000000000} | {4d1d6dc7-ac5a-eb11-af24-002248558a5a} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} | 1/20/2021 8:19 AM | {2f26eb5e-b85a-484c-b5ed-79099bf98a89} |
5. If you want to combine these data, you need to do some simple development.
For example: Users <- Permission Sets <- Permissions
(just for reference only)
Create a new table.
Source Code:
table 50111 EffectivePermissionList
{
DataClassification = CustomerContent;
TableType = Temporary;
fields
{
field(1; LineNo; Integer)
{
Caption = 'Line No.';
DataClassification = CustomerContent;
}
field(2; "User Security ID"; Guid)
{
Caption = 'User Security ID';
TableRelation = User."User Security ID";
}
field(3; "Role ID"; Code[20])
{
Caption = 'Role ID';
TableRelation = "Aggregate Permission Set"."Role ID";
}
field(4; "Company Name"; Text[30])
{
Caption = 'Company Name';
TableRelation = Company.Name;
}
field(5; "User Name"; Code[50])
{
Caption = 'User Name';
}
field(6; "Role Name"; Text[30])
{
Caption = 'Role Name';
}
field(7; "App Name"; Text[250])
{
Caption = 'App Name';
}
field(8; "Object Type"; Option)
{
Caption = 'Object Type';
OptionMembers = "Table Data","Table",,"Report",,"Codeunit","XMLport","MenuSuite","Page","Query","System",,,,,,,,,;
OptionCaption = 'Table Data,Table,,Report,,Codeunit,XMLport,MenuSuite,Page,Query,System,,,,,,,,,';
}
field(9; "Object ID"; Integer)
{
Caption = 'Object ID';
}
field(10; "Object Name"; Text[249])
{
Caption = 'Object Name';
}
field(11; "Read Permission"; Option)
{
Caption = 'Read Permission';
InitValue = Yes;
OptionCaption = ' ,Yes,Indirect';
OptionMembers = " ",Yes,Indirect;
}
field(12; "Insert Permission"; Option)
{
Caption = 'Insert Permission';
InitValue = Yes;
OptionCaption = ' ,Yes,Indirect';
OptionMembers = " ",Yes,Indirect;
}
field(13; "Modify Permission"; Option)
{
Caption = 'Modify Permission';
InitValue = Yes;
OptionCaption = ' ,Yes,Indirect';
OptionMembers = " ",Yes,Indirect;
}
field(14; "Delete Permission"; Option)
{
Caption = 'Delete Permission';
InitValue = Yes;
OptionCaption = ' ,Yes,Indirect';
OptionMembers = " ",Yes,Indirect;
}
field(15; "Execute Permission"; Option)
{
Caption = 'Execute Permission';
InitValue = Yes;
OptionCaption = ' ,Yes,Indirect';
OptionMembers = " ",Yes,Indirect;
}
}
keys
{
key(PK; LineNo)
{
Clustered = true;
}
}
}
Create a new page to show the table.
Collect data.
Source Code:
page 50111 "New Permission List"
{
ApplicationArea = All;
Caption = 'User Effective Permission List';
PageType = List;
SourceTable = EffectivePermissionList;
UsageCategory = Lists;
layout
{
area(content)
{
repeater(General)
{
field("User Security ID"; Rec."User Security ID")
{
ApplicationArea = All;
}
field("User Name"; Rec."User Name")
{
ApplicationArea = All;
}
field("Company Name"; Rec."Company Name")
{
ApplicationArea = All;
}
field("App Name"; Rec."App Name")
{
ApplicationArea = All;
}
field("Role ID"; Rec."Role ID")
{
ApplicationArea = All;
}
field("Role Name"; Rec."Role Name")
{
ApplicationArea = All;
}
field("Object Type"; Rec."Object Type")
{
ApplicationArea = All;
}
field("Object ID"; Rec."Object ID")
{
ApplicationArea = All;
}
field("Object Name"; Rec."Object Name")
{
ApplicationArea = All;
}
field("Read Permission"; Rec."Read Permission")
{
ApplicationArea = All;
}
field("Modify Permission"; Rec."Modify Permission")
{
ApplicationArea = All;
}
field("Insert Permission"; Rec."Insert Permission")
{
ApplicationArea = All;
}
field("Execute Permission"; Rec."Execute Permission")
{
ApplicationArea = All;
}
field("Delete Permission"; Rec."Delete Permission")
{
ApplicationArea = All;
}
}
}
}
trigger OnOpenPage()
var
AccessControl: Record "Access Control";
RecPermission: Record Permission;
begin
AccessControl.Reset();
AccessControl.SetAutoCalcFields("Role Name", "User Name");
Rec.LineNo := 0;
if AccessControl.FindSet() then
repeat
RecPermission.Reset();
RecPermission.SetRange("Role ID", AccessControl."Role ID");
RecPermission.SetAutoCalcFields("Object Name");
if RecPermission.FindSet() then
repeat
Rec.LineNo := Rec.LineNo + 1;
Rec.Init();
Rec."User Security ID" := AccessControl."User Security ID";
Rec."Role ID" := AccessControl."Role ID";
Rec."Role Name" := AccessControl."Role Name";
Rec."Company Name" := AccessControl."Company Name";
Rec."User Name" := AccessControl."User Name";
Rec."App Name" := AccessControl."App Name";
Rec."Object Type" := RecPermission."Object Type";
Rec."Object ID" := RecPermission."Object ID";
Rec."Object Name" := RecPermission."Object Name";
Rec."Insert Permission" := RecPermission."Insert Permission";
Rec."Modify Permission" := RecPermission."Modify Permission";
Rec."Execute Permission" := RecPermission."Execute Permission";
Rec."Delete Permission" := RecPermission."Delete Permission";
Rec."Read Permission" := RecPermission."Read Permission";
Rec.Insert();
until RecPermission.Next() = 0;
until AccessControl.Next() = 0;
end;
}
Test Video:
Update: How to change default User Groups for new Business Central users (User Group Plan)
END
Hope this will help.
Thanks for reading.
ZHU
コメント