In this series of bi-monthly blogs, Western Computer shares our expertise with tips and tricks to help users work more efficiently in Microsoft Dynamics 365 Business Central Cloud. Based on our more than 30 years in business—with 1,250+ solution implementations, including more than 350 in the cloud—we share the expertise we have accumulated to enable users to work as proficiently as possible. You can also subscribe to these blogs in our LinkedIn newsletter.
Imagine this: You are a system administrator, and you are assigning (or you have assigned) specific permission sets for users in Business Central, rather than letting everyone act as a SUPER user. In the middle of the process, among other things, you are running into issues such as users having too many or not enough permissions to execute their daily tasks.
The reality of permissions management can be tricky.
Let’s delve into how to troubleshoot both missing permissions and excessive permissions in Business Central.
Missing Permissions
This issue usually comes in the form of an error message when users try to access a certain part of the system. For example, for a user that tries to access the Production BOMs list without the proper permission sets, they will run into the following error message:
Note that I underlined a few important tokens on this message ⚠️:
-
In Red, it reads “TableData”. This is the Object Type that our user is lacking permission on. Object Types can be TableData, Table, Page, Report, Codeunit or System. (there are a few other types as well, but they are less common).
-
In Green, it reads the Object Id and Name: 99000771 – Production BOM Header.
-
In Orange, it reads “Read”, which is the permission access that the user is lacking. Permission Accesses are Read, Insert, Modify, Delete or Execute.
If we reorganize this message putting the Orange token first, this is how we would read it:
Lacking permission to Read on TableData 99000771 Production BOM Header.
Once you determine which permission is missing, you should be able to find a suitable Permission Set that contains the permission that is missing. In many cases, if this is a base Business Central object, there will be a base Permission Set covering it. However, if you are lacking permissions for a custom modification that was developed for your environment, you would need to check if the Extension was deployed with permission sets of its own (it is a good practice to do so, but not every software developer follows this).
If you don’t find any Permission Sets that include the object that is missing, ultimately, you will need to create a User-Defined Permission Set. See below an example of a custom Permission Set where I included only the Production BOM Header table, with a Read permission only.
When you create your own permission sets, be mindful not to add any extra permissions that might not be necessary, otherwise you will run into an issue of excess permissions, that I will talk about in the next section.
The last important thing to note when troubleshooting missing permissions: When you help users troubleshoot their permission issues, the process can become cumbersome, and they can get frustrated. Sometimes, after you fix a certain permission error, a new permission error will be uncovered regarding another object that is missing. For a frustrated user, they may not realize that the error message that is now showing is a new error message, showing a different object. Therefore, it’s really important that both you and your user pay attention to the error message to determine what object is missing. If you are supporting your user remotely, make sure to always request an updated screenshot every time they run into a permission issue.
Excess Permissions
In a situation of Excess Permissions, administrators are usually presented with the challenge that users are having access to areas that they shouldn’t.
For this type of troubleshooting, I recommend using the Effective Permissions page in Business Central.
In this page, users can see all the permissions that are assigned to them, and where that permission is stemming from. Users can only see permissions assigned to them. SUPER users can see permissions for any user in the system.
Once you open the Effective Permissions page, BC will take a few seconds to calculate all the objects that the user has access to. Then you’ll get the chance to change the User Id that you want to inspect:
For example, let’s say Debra is not supposed to have permission to use the Production BOM List, but you as an administrator saw her fiddling with it earlier today. You can inspect her effective permissions and search for the Production BOM Header table permission on the list, to see what permission set is granting her that access:
From the screenshot above, we can see that the permission set that is granting her access to the Production BOM Header, is the BOM-LIST one (coincidentally, that’s the one I created for demonstration on the previous section 😜).
Conclusion
In conclusion, managing permissions effectively in Business Central is crucial for maintaining the security and integrity of your system. By creating custom permission sets with only the necessary permissions, you can prevent issues of both missing and excess permissions. When troubleshooting permissions, it is essential to pay close attention to error messages and to communicate clearly with users to avoid confusion. Utilizing tools like the Effective Permissions page can help administrators identify and resolve permission issues efficiently. By following these best practices, you can ensure that users have appropriate access to the resources they need while safeguarding sensitive information.
About the Author
More Content by Marcelo Borges
