Managing User Permissions in Dynamics 365 Business Central

Managing Permissions and Security Groups in Dynamics 365 Business Central – Part III

In previous blogs, we have discussed techniques for managing permission sets and security groups in Microsoft Dynamics 365 Business Central. The main idea is to define permission sets and security groups that will enable all job-related functions to be performed, and then assign users to those security groups as needed. When people change job responsibilities, they can be easily added or removed from the appropriate security group.

The problems with managing user permissions directly on the User Card

Once we have defined the security environment, we can assign the appropriate permissions to each user. Using permission sets and security groups not only makes it easier to see who has permission to perform specific tasks, but it also facilitates conducting user security audits when needed.

We start with the User Card for our fictional employee Nestor Wilke.

The user card shows several things. For instance, on the left-hand side of the screen, we can see if the user has any permission sets assigned to them and which company that permission set applies to. If it’s blank, it applies to all companies.

While this is where some people have all their user permissions defined, I recommend not having them here unless it’s specific to the user. For example, suppose you want Nestor to see only his resource and possibly his employee card, but not anybody else’s. Then you might want to create a unique permission set just for Nestor, which would be listed on his user card. If you put it in a security group, anyone else who’s in the security group would also receive those permissions and be able to view Nestor’s employee resource card.

Another possibility is to make this person a super user. However, even then, it would be preferable to create a security group for that purpose and then assign this person to that group, rather than entering it directly on the user card.

Looking at the details on the right-hand side of the user card, you can see if the user has also been assigned to a security group. If so, they will inherit the permissions from these security groups as well.

Therefore, if a user is assigned a permission set directly on their user card, as well as through a security group, changing the permissions in the security group will have no effect, because the user will still retain the permission assigned to them on the user card.

Now, suppose we want to give Nestor the same permissions as Susie. It would seem natural to simply go to Susie’s user card, copy and paste whatever permissions Susie has, and give them to Nestor. However, the better option is to put Nestor into the same security group as Susie. He will still get the same permissions that she has, but it is much easier to manage 10 security groups than it is 250 users.

Licenses and user permissions

The licenses available to the user are shown at the bottom of the User Card.

Business Central offers team member, essential, and premium licenses.

If the user has a permission set assigned that is not allowed by their license, they’ll receive reduced permissions based on what their license allows. For instance, if they are assigned essentials, they will only have the permissions that the essential license provides.

Effective permissions

In the upper left-hand corner of the User Card is a link to view the user’s effective permissions.

Effective permissions essentially tell you which tables and objects the user can Read, Insert, Modify, Delete, and Execute, as well as the permission sets to which they have been assigned.

From an auditing perspective, you should verify that everyone’s user card does not have permission sets assigned here; we recommend assigning these at the security group level.

Along the right-hand side of the Effective Permissions screen is a column with the heading “In User-Defined Permission Set.”

Here, you can determine whether the permissions are from a User-Defined Permission Set or not. If you are using all user-defined permission sets, seeing a box that is unchecked would indicate that the user is getting their permissions from somewhere else.

Related permissions: View permissions by user and by security group

From the Users screen (not the User Card), you can select Related Permissions: Permission Set by User and Permission Set by Security Group.

Viewing the Permission Set by User will give a detailed breakdown of which users have access to each permission set.

To make it easier to locate specific user access to permission sets, one trick is to export the Permission Set by User data to Excel and analyze it there.

Once in Excel, use Conditional Formatting to see where permissions are set to TRUE and highlight those rows.

With User permissions highlighted, you can easily see (or have an alternate view of) which users have permissions.

Alternatively, you can choose to view the Permission Set by Security Group and view the permissions assigned to each security group.

It’s all about the Security Groups

Ultimately, it’s all about the Security Groups. We recommend that you do not define permissions directly on the user card. Instead, control your users’ access by adjusting your security groups and permission sets.

Be sure to contact ArcherPoint by Cherry Bekaert if you have any questions related to Users, Permission Sets, and Security Groups in Dynamics 365 Business Central.

Trending Posts