How to Customize Permission Sets in Business Central
Being able to tailor permission sets in Business Central helps you control what users can access and do across your system. While using out-of-the-box profiles often provides a broad foundation, you may want to utilize something more precise that aligns with the various job responsibilities within your company.
Enter what I like to call modern permissions, a flexible way for you to create customized, scalable permission sets that keep your environment secure and ensure it continues to run smoothly.
Why Modern Permissions Matter
As mentioned earlier, many users are assigned standard permission sets (such as D365 BUS Premium), which grant them extensive access across your Business Central environment. While simply giving users out-of-the-box permissions simplifies the initial setup, it often results in users seeing—and potentially manipulating—areas of the system outside their job scope. This can lead to bad data, potential breaches, and disrupted workflows.
With modern permissions, your admins can:
- Grant broad access to users on a case-by-case basis
- Systematically exclude specific areas (like bank accounts or financial reports) so that users only see what is pertinent to their jobs
- Avoid the need to re-record or manually customize every permission from scratch
- Maintain cleaner user cards with a single, role-named permission set
How It Works: Using Excluding Sets
Let’s look at an example of how you can use some specific tools to customize permission sets in Business Central to suit your company’s unique needs. The setup is simple:
- We will create a new permission set for an example employee named Alan Steiner, who is a sales order processor.
- Next, we will make sure to include all the necessary permissions within our customized set for Alan that are relevant to his job.
- Finally, we will use an exclude set to selectively remove access to sensitive objects or those that Alan doesn’t need to see.
A Step-By-Step Breakdown on Customizing Permission Sets in Business Central
Now that we have outlined our scenario, let’s look at the individual steps:
1. Creating a Role-Based Set
Alan is currently set up with the default “D365 BUS Premium” permission set. Although he is a trustworthy employee who hasn’t had any system errors, he still has too much unnecessary access to the system. If this were your company, you would start by creating a role-based set by following these steps:
- In the admin login, create a new permission set (for this example, we’ll call it SalesOrdPro).
- Leave the top-level permissions blank when you get into the new custom permission set.
- Use the “Included Permission Sets” section to nest existing sets (such as D365 BUS Premium).
2. Create an Exclude Set
Now that Alan has his custom permission set, you can assess his role and determine what to exclude from his view. For this example, you notice that Alan has access to bank accounts and financial ledgers, which are filled with sensitive data that isn’t pertinent to his job. To exclude those, follow these three steps:
- Click on “New +” and then name the new set something intuitive and easy to follow. It could be as simple as calling it “Exclude”.
- In the top section of the permission set, add the objects you want to block. In this example, we are going to block Table 270: Bank Account.
- After you are satisfied with what will be excluded, set Read Permissions to “Yes” to indicate those actions are present in the Exclude set.
3. Exclude the “Exclude” Set
Now that you have built out what will be excluded from Alan’s view, you can finalize the customized permission set:
- Go back to your role-based set (SalesOrderPC) and exclude the “Exclude” permission set.
- Next, you will go in and assign the new SalesOrdPro permission set to Alan by going to his user card and adding it under the “User Permission Sets” section.
This nesting logic will revoke access to the listed items while preserving the broader functionality that Alan needs to do his job well. He can still post sales orders (which requires access to the general ledger table) but is locked out from pages showing balances or reports.
An optional thing you can now do with Alan’s card as well is remove the other permission sets. Seeing as they are all included in the “SalesOrdPro” set, there is no need for them to be listed there anymore.
Customizing permission sets in Business Central this way also streamlines onboarding. New sales employees who do the same job as Alan can simply get the “SalesOrderPro” profile and permission set without manual juggling of multiple individual permissions.
Now, when we log into Alan’s profile and search for Bank Account, it doesn’t even come up. Note: Some other table and reports that use the Bank Account table. However, when we (Alan) try to click into it, we get a message notifying us about our lack of access.
If down the road you find out that Alan has access to other areas, you can simply go back into the Exclude permission set and add those. For example, you might want to remove his access to Vendor Bank Account.
Alternate Option: Security by Obscurity
Although the exclusion method is recommended for higher control, you can also simply hide pages like the Chart of Accounts. This prevents users from seeing data without disrupting their workflow. It is a softer method that could still come with issues, but it is still an effective form of access control.
To do this, go back into your Exclude permission set and include the Chart of Accounts. The only difference is under the “Object Type” you will select “Page” instead of “Table Data.”
By controlling “Execute Permission” access on pages, you obscure the user's visibility without cutting off underlying table permissions they need for workflows like posting.
Secure Your Environment and Streamline Workflows with Custom Permission Sets in Business Central
Modern permissions offer flexibility, clarity, and scalability in Business Central. It gives you the best of both worlds – using existing structures while fine-tuning security in a thoughtful and effective way. By using the exclude set method, administrators can go into various permission sets and easily customize what team members can and can’t see. This will benefit your company by boosting security and ensuring your team stays focused on only their core tasks.
Whether you are just starting out with Business Central or are looking to refine a mature system, customizing permission sets is a smart next move.
Talk to the Stoneridge Software Team to Start Customizing Permission Sets Today!
Our team has a pre-mapped list of finance-facing tables, pages, and reports to help you lock down access safely and efficiently. We can also help you map out the various roles and jobs within your company and help you customize permission sets for each of them to streamline productivity and design secure, scalable, and safe permission sets for your team.
Contact our experts today to learn more.
Under the terms of this license, you are authorized to share and redistribute the content across various mediums, subject to adherence to the specified conditions: you must provide proper attribution to Stoneridge as the original creator in a manner that does not imply their endorsement of your use, the material is to be utilized solely for non-commercial purposes, and alterations, modifications, or derivative works based on the original material are strictly prohibited.
Responsibility rests with the licensee to ensure that their use of the material does not violate any other rights.