As I write this, I am looking at the security in the newest version (19.1) of Microsoft Dynamics 365 Business Central. We had noticed in the previous version that some of the permission sets give more access than the name indicates. This post will offer some actual examples of what we found in the newest version.
Permission Set: D365 Team Member
A Team Member License is a low-cost license that provides read-only access to the tables in Business Central. It also provides the ability to enter quotes and a few other items. We generally describe it as designed for management and sales people. It does not allow posting. When you assign a Team Member License to a user, the D365 Team Member permission set is assigned by default. Let us assume that you have a salesperson using this license.
Here are some interesting permissions assigned by this permission set:
- Bank Account: read and modify
- G/L Entry: read, insert, modify, and delete
- G/L Account: read and modify
- Customer: read and modify
- Vendor: read and modify
- Item: read and modify
- Job: read and modify
This license type is prevented from posting, so these permissions will not allow the team member to post general ledger entries. However, it does allow read-only access to any table in the system. A person with these permissions will be able to see all of the general ledger entries. This will include entries into the salary accounts, and if salaries are posted in detail in the G/L, amounts will be visible. In addition, the user will be able to see the chart of accounts and balances.
Obviously, you may not want to give this permission set to some users, particularly if you do not want them changing customers, vendors, items, and jobs.
Permission Set: D365 Basic
Let us say you decide to pick a more minimal permission set. This permission set, D365 Basic looks as if it would provide basic access to the system, and it does. It also provides the ability to read general ledger accounts and entries, and the ability to read, insert, and modify customers, vendors, and items.
A Bit More Info on Permission Sets
It appears that Microsoft has been reworking the permission set code in the last few versions. Developers can combine permission sets to make new permission sets. The permission set D365 BUS PREMIUM, for example, includes the following code:
IncludedPermissionSets = "D365 BUS FULL ACCESS", "D365PREM MFG, EDIT", "D365PREM SMG, EDIT", "D365PREM SMG, SETUP";
This code copies in all the permissions from the other permission sets. It is a good move from a maintenance standpoint, since it means that a change in one permission set will cascade through others. It makes it a little bit difficult to be sure exactly what you are getting when you assign a permission set.
The biggest lesson we have learned from this exercise is that you cannot just assume that permission sets provide logical permissions. In other words, you cannot take for granted that they mean what their name says they mean. And this means that any company needing tight security will be designing their permission sets pretty much from scratch.
Our hope is that Microsoft will add functionality to the permission set extension to allow us to DENY permissions that have been granted. As of this date, Microsoft documentation on the permission set extension says the following:
The permission set extension object in Business Central adds permissions to an existing permission set defined in AL. A permission set extension object cannot remove permissions from an existing permission set, it can only add permissions.
You can read more about the permission set extension object in the Microsoft documentation.
Be careful that the security you assign is the security meant to assign in Business Central.