Blog 4 of 4 in “What’s the deal with Permissions in BC?”
The recent updates to Microsoft Dynamics 365 Business Central permissions introduced significant changes that improved flexibility and control. As discussed in Part 1 of this 4-part series, User Groups are deprecated and Security Groups added. In Part 2, we dove into how permission sets now support a hierarchy providing enhanced functionality while streamlining user management and security in Business Central. And in Part 3, we explored how to manage hierarchical permissions in Microsoft Dynamics 365 Business Central (BC) to meet specific requirements including hiding specific records from users.
In this 4th and final post, we will wrap it all with my thoughts on what you might want to take into consideration as you prepare for a permissions implementation project.
Summary of changes
Security Groups allow for the management of user permissions from M365 and making adding users with the correct permissions easier. Security Groups replace some, but not all of the functionalities lost with the deprecation of User Groups.
Composable permission sets replace some but not all User Group functionality with the ability to reference permission sets within permission sets.
Permission sets now include a hierarchy that allows for easier control and flexibility. It is now possible to assign permissions automatically updated by Microsoft with updates and easily disallow/exclude permissions these assign as needed for specific users. And we can just as easily allow/include permissions that are missing.
In addition to permissions by object, filtering can be used to limit access to records to or from a specific group of users.
The Permission Project
Now that you know what is possible, how do you get started? By planning of course!
A Permission Project is:
- Not an IT project, it is an enterprise project.
- A project that needs support from the top and through all management.
- Not a few hours endeavor.
- An opportunity to review what users in each department or role are doing on a daily, monthly, quarterly and annual basis and segregation of responsibilities.
- An effort that requires planning.
- An opportunity to involve your hardest workers and recognize their contribution to the company by asking for their help in defining and testing.
- Often left for “someday” and never done.
Planning
If you have recently implemented your system, you may have test scripts from UAT or validation. These scripts can be helpful in determining what permissions need to be assigned to each department or groups of users in those departments.
Include what the users cannot do along with what they can do when planning. This is information that will not be in your test scripts. Very frequently, companies are so focused on users not getting permission errors when performing their work, they go to the other extreme and provide more access than intended.
I found an old Microsoft Dynamics 2010 Sure Step testing checklist that I repurposed as a template for reviewing what each type of user may or may not be doing in any given day. The lists are old, but still valid and a great starting place. Using these lists, you can indicate if a group of users should perform an action. The lists are task-based, not focused on an object like table, codeunit or page. Why? Because adding a new vendor, deleting a vendor or posting a purchase invoice are tasks. Users perform tasks, they don’t use objects. Remember, this is not an IT project, it is an enterprise project.
When what is in BC is not enough
As you plan, you may find not all of your requirements resolve with OOB functionality, or that you need to use the recorder to build permission sets using only TableData., or that you need to use the recorder to build permission sets using only TableData. Well guess what, there are apps for that!
Here a just a few that I respect and have some limited experience with, but don’t hesitate to check out the other solutions in AppSource.
Compliance Advanced Permissions Recorder – 2-Controlware
Advanced User Management – EFP Connect Consulting
Compliance Field Security – 2-Controlware
Advanced Cloud Security – hougaard.com
Apps are not one size fit all. They each have their strengths, weaknesses, and markets they target. Find the one that fits you best.
It’s a wrap!
I hope you have found this series on permissions in Microsoft D365 Business Central to be helpful and you have been able to use the information to find the Righter Way for your company to use permissions in BC. If you have, please leave a comment here, or in LinkedIn to let me and others know. I will greatly appreciate it.
