Watch this 30-minute webinar to understand what practical measures you can take to best manage user permissions within your Business Central environment.


Hi, everyone, thanks for joining us. We’ll be starting shortly.


Hi everybody, welcome today, and thank you for attending today’s webinar on Effective User Permission Management in Business Central. My name is Danusia Jolliffe and I’ll be facilitating the session today. For those of you who haven’t met me before, I am the Marketing Director here at TVision and I’ve been with the business for about five years. I’ve got about 20 years marketing experience. Alongside me as always is Ian, one of our Senior Support Desk Consultants. He’s been here at TVision probably about six months longer than me and has got a wealth of experience and no doubt you’ve been in touch with support. So, before we get started, and to remind you, we’ve got the question and chat boxes available for you to ask any questions. I’ll be monitoring them and I’ll ask any questions as we go along. If we are out of time, and you have any further questions that need to be answered, we can do that offline for you. On to the agenda of what we’ll be talking about today.


So, just as an overview agenda, and we’ll talk about the naming convention regarding these permissions. So, that’s the role centre / role, and full and team licences. Why indeed, you need to set up user permissions for your organisation, and Ian’ll talk a bit around how you to segregate duties, and the relevance of the size of your organization, in respect to these permissions. And then, finally, you’ll do a demo around the examples of how you can assign permissions. And you can do that in three ways, where they use an existing one, which you tweak, one that already exist, what to do to record a new one. So with that, I’ll pass over to Ian. And as I said, I’ll be monitoring the chat. So do ask some questions in the chat, or question box. Ian over to you. All right, thanks. Let me just bring this up. So permissions. This is not going to be exciting. I tried to think of ways of making this exciting.


It’s not like creating a report, certain account schedules where people can see what you’ve done. There’s some results. This is all in the background. There’s no glory in doing this. But it is something that’s really important for your organization. Why is it important?


Particularly if you’re an organization where you’re audited on an annual basis. Your auditors are going to ask questions about who has permission to do this, who couldn’t do that? Is anybody able to raise a purchase order and receive the goods and change the vendor’s bank account and make the payment? Because that’s opening your company up to fraud if somebody can do all of those things. So it becomes important.

8:54 Organisation growth

When your organisation starts growing, when you’re a small little organisation, maybe it’s you and your partner, your wife, your son, or daughter, whatever it might be. And you’ve got a business, you trust each other. You know, you’ve both got a vested interest in making things work properly, but when you’ve grown and you’ve got 100 employees, you need to start segregating those duties to protect yourself and to meet compliance requirements. Especially if you’ve government contracts, defence contracts, things like that as well. So, it is really important that you get it right as your company grows.

9:29 Licence types

There were a few places where permissions are affected within Business Central, and within the first one is, what type of license do you have? What type of license does it use? If you have a full license, you’re a full user, you can be given permission to do just about anything on the system. If you’re a team member, you’ve got a limited license or Team license, that license itself, it restricts what you’re able to do. So, even if you’ll give them permission to do everything, the license itself won’t actually do everything. So that’s the first place where permissions stop being affected.

10:13 Role Centre

The second place is your Role Centre. So that’s the screen that you get when you log on. So you can see I’ve logged on, yeah, I’ve logged on as a business manager. I get the menu option, it is applicable to me. This isn’t my permissions. This is just the way my screen looks. It’s not restricted to me just because there isn’t a menu item up here that says it doesn’t mean I’m not able to go look at. I can always go search for them and I can find journals. So on my role on my profile that just affects the way my screen looks, like it limits a little bit of permission setting here. I can modify, I can create new profiles over all centres, I can put on the menu that I want. I can make them an editable, I can restrict them to analyse their view. But that’s not a good way to reveal security.


because even if I personalize this, and I try and hide everything that lets you post a sales order, there’ll be somewhere in the background or some screen that I didn’t think of where there’s a button to close to Salesforce. My end user. Eventually, they’ll find that button, and they’ll be able to press. So, this is not where I would set up security by giving my users specific screens. We set it up using Mission sets. So, there are three kind of areas within BC.

11:49 User permissions

Let’s specifically deal with user permissions. The first one is an area called Permission Sets, and if we just go to that. Permission sets. This is an out of the box, Business Central SaaS, and these are all the permission sets that Microsoft give us out of the box. And these are all very generic. So there’s an accounts receivable that I’m hovering over. So this is what Microsoft thinks for a typical company. These are the permissions that somebody in accounts receivable would need. My company in your company, I might have a different idea. So within this one, I know from experience, and accounts receivable permission set, it lets me create a new customer. It lets me modify customers, it lets me, um, boost journals, it lets me do all sorts of things. In my organization, my accounts receivable team, I don’t want them creating customers. I might have a customer onboarding team to do that as a separate group of people. So, I might not be happy with these actually two box permission sets. You can tweak these permission sets, you can create your own permission sets.


Or, if you’re a small business, like I said, you know, that’s just 2 or 3 of you. You might be happy to use these very generic permission sets, as your company grows. You’re going to want to start taking refining your permissions, being a little bit stricter. So, permission sets is the first idea we need to speak to. And each one of these permission sets. If I assign it to a user, gives that user permission to do something on the system.

13:47 User groups

Next, kind of idea is the idea of a user group. And if we just search for user groups, it’s a group, it’s not a group of users, it’s a group of permission sets. So, it’s a bit of a strange naming convention, that Microsoft have gone with here. So, these are all user groups that already exist on the system. I did create a few new ones myself down here.


Ian, I’ve got a question: why do you put the TVT at the beginning? OK, so that’s just a convention that I use, and it’s not a bad idea. All of the ones that start with TVT, I know they’re the ones that I’ve created for TVision technology. All the ones that start with D 365, they’re the ones that Microsoft will give me out the box. It just makes it really easy for me to identify my customized stuff.


So if I look at this TVT debtors, and I say, What permissions does it have? These are the permission sets on the previous screen that I’ve just put into a generic group. Sorry, I think somebody is working in my debtors department, you might call it Accounts Receivable department. I think they need these permission sets. So, I’ve just kind of grouped them together. And that’s going to make my life a little bit easier on the left of the screen that we need to look at. And this is the last one.


I’ll try and make it more interesting after this. And this is the user’s screen. So this is where you set up your users, and this is where you assign permissions to users. So in this company, I’ve got a few users. Yep, I’m demo. Let’s look at my setup, and within 10 min. When it opens up, come on up. So, up at the top heading, in typical Business central fashion. It’s a little bit slow for some reason. It’s going to give me my name and what type of license I have, information like that. Then, down here, these are the two permissions and I have two sections: the first section, which user group do I belong to? Secondly, which specific permission sets do I have access to? So I can give permissions, either by assigning groups to a user. Or I can give permission is like signing permission set to a user, or a combination of both. I can do some groups and then tweak it by adding an extra permission set, now, perhaps. But this is all the areas we need to look at permission sets, user groups, and users.

16:52 Permissions setup example

And I think the best way for me to go through this is perhaps to give you a simple example. So, I’m going to I mentioned I’m a reasonably small company. Grady has just joined our company. My partners have set up Grady as a user that they’ve given him a license. Again, it’s a little bit slow, but I’m going to see it up here. It’s enabled. He’s got a valid license. He doesn’t have any permissions. I haven’t signed into any groups, I haven’t given any permission sets. So because I’m a small company, I’m likely very happy to just say that Grady is a super user. And if I give Grady, a superuser role, this role has all permissions. If Grady is my son, I might be happy to get in there.


As I say, if I’ve got 100 employees, I will be very reluctant to give somebody superuser permission unless they were the head of finance or the head of IT department, or something like that. So we’re a really small company, by all means, give superuser permission. We try that. I just want to delete that line and stuff to get it from fresh. More realistically, I’m still a small company, Grady’s working in my finance department. Let me see. I’ve got a group to do with Finance. I do after a group called Accountants, and this is one that Microsoft will get, and that’s by default. I’m happy.

18:40 Multi-company permissions

With the Microsoft defaults, I’m giving him the accountant’s group, which has various permission sets assigned to it. Soon, as I click off this line, I’ll see those permission sets that are granted at P&L.  But also, very important. I’ve only given ready access to the fresh start trading company. On my system, for companies, I can give Grady different permissions in each company.


If I wanted to have the same permissions in all companies, I can just remove that restriction there. And, yes, I wanted to update everything that’s really moved the restriction. Yes, now Grady is an accountant for all companies on my system.

And it says easiest to set up a new user. What might happen more typically? What I’m going to do, I’m going to delete this again so, it’s blank. Somebody new starts in your company and it’s a little bit more complicated than I just demonstrated. A good question to ask is: what job is clearly going to be doing? Oh, he’s going to be doing the same work as Alex, then a good idea. Come into Alex’s profile. See what permission is given to Alex. Again, it opens up. And I’ll be able to see what we have assigned to Alex. Oh. He’s got all users and debtors. He’s got my customized rules. I’m assuming that Alex is male but could be female. These are the permission sets. I can user install package to move these across, I can edit them moving across. I can just copy and paste, all, take a screenshot, Go back to credit card, Greatest code, give you all users, and give him debtors. A good way of doing this is, who else has a similar role, or the same role, and copy those settings? It saves you having to memorize what everything does. Because there are, quite literally, as we saw earlier, dozens upon dozens of commissions sets.


They all have a very brief description, but it doesn’t give you a lot of detail of exactly what type of banking does it like, She doesn’t let you look at bank accounts. Does this, won’t let you create new bank accounts? Post, bank transfers, deposits, make penance, et cetera? The description is a little bit vague. If I really want to know what this permission set does, I would go up to the ribbon. Whoa! On the wrong sheet, sorry. I would go to the permission sets page. We all make mistakes.


So I go to the permission sets page. And all the permission sets page. I find banking. But it wasn’t that is, I’m not gonna say, What permissions does Banking have. I’m not click on that permissions button. This is where it starts looking a little bit complicated, other scary, bit hard to read to us. But this is basically telling me, anyone who has banking permission on the currency table, they’re allowed to read it. They’re allowed to modify what they see and not allowed to insert a new currency. They’re not allowed to delete a currency that already exists. On a GL account. I can see all the GL accounts. I have read permission. I can’t create new ones, like oh modifying existing models. I can’t delete them. GL entries, I can see them. I can insert them, modify them indirectly, by close to a journal or something like that.


Coming further down, within a journal itself, I can see the lines, I can insert new lines directly by typing them in. I can modify them, delete them. So this tells you exactly what this rule is stable. It’s a little bit hard to read. But, once you kind of get the idea of those columns, these are the areas within the system. It becomes a bit easier. There are a lot of tables.


The banking role, that you get access to, the ones at the top, generally, the most important once things like customers, then there’s GL accounts, General ledger entries, custom merchant entries. Sales documents, they all got pretty low numbers. When you get up to a thousand, much more specialized areas within the system, looking at swift codes entries, things like that. So pay very close attention to the lines at the top of the list. You can give a little bit less attention to the ones further down there still worth looking at. But, really, these are the ones that are truly important to you, and you really care about. And your boss cares about as well.


So, we’ve talked about permission sets. Let’s see what a permission set can do. We’ve talked about user groups, which is a collection of permission sets. Users – you can give them user groups, or you can give them permission sets directly. And we didn’t mention the super permission set, which you really should avoid giving to people, except for two, maybe three users within your organization. Just in case someone leaves, because superusers can do anything without restriction.

25:09 When should you set up user permissions?

Well, we had a question come in which says when should I be doing this? OK, so, obviously, when you go before you go live, not when you go live, before you go live, you want to have your security, all your user acceptance testing system, or your test system. You need to be setting up these permission sets. If you watch any customized ones, setting up your user groups, if you’re not happy with the defaults, making sure that they were letting those users log on with those permissions, making sure that they can do their job. Once you’ve done live, it’s nice, it’s stable for a while. But after a couple of years, people have left. People have joined. Somebody’s being given extra access to do something, Somebody got access to your way, because they, they were logged in, they broke something, whatever it might be, and it starts looking a lot less organized. So, you really should, won’t see you at the absolute minimum, the review, be having a look. If you’re an auditing company, your auditors are going to force you to do this anyway by asking you questions.


So, if you wanted to create a new user group, you would simply search for user groups, and you would say, new. If you want to create a new permission set on Scratch, you can come in, and you could say new, or, you can take one of these and say banking, you think it’s about trying to, but you want to change it a little bit. You can make a copy of the permission set. And, you can change the permissions set, I’m going to show you how to create a new permission set, so, I’m just going to create one, and, I’m going to call my new permission set demo. And, Demo can only do sales.


You’ll notice it’s flagged as a user defined permission set. So this means, when a Wave update happens or your system is upgraded, Microsoft are not going to overwrite what you’ve done yet. The group system created ones here that Microsoft gives you by default in the next wave, update and modify slightly because of new functionality that’s being taken away. So, there’s always a risk that what you think it can do, it might change in the future, which is why we do recommend a copy of the existing ones. Because you will know it’s going to stay static. It’s not going to change unless you know about it.


Once I’ve created a new permission set, I say, OK, what permissions does this commission said? It shouldn’t have no permissions because I’ve just created it. I can manually assign permissions to this permission set. If I click here, I can choose which table to I want to give permission to see table, select that.


And then I will say whether it has read permission. Can they insert, modify, delete? I can choose, no, they can’t. Yes, that can. That can only do it indirectly across the document. It gets really complicated. You saw how many permissions there were in the permission set we were looking at just now.

28:37 Recording permission set setup

The best way to create a new permission set is to record, well, let me demonstrate that to you now. So, I only want this commission sent to be able to open sales orders and just look at a sales order. So what I’m going to do, I’m going to pop this screen out. So opens on a separate page. This one a lot faster when I was practicing yesterday and this morning. And as soon as it popped out here Oh, dear. The joys of doing things live. I’m going to click Start to start Recording. it’s gonna ask me to confirm, I’m going to record what I’m doing. I’ll come back to this screen, and I will search for Sales orders. Oh. I will open a sales order of the Sales Order. Let’s scroll down. Ah, I do apologize for the slow system. I’m going to just open any one of these orders just to see what’s inside the order. And as soon as this open, that’s as much as I want this permission set to do. Just open an order and see what’s inside it. So, I’ll come back to that screen that popped out. And I will say Stop recording.


Do I want to add these permissions? Yes, I do. And to do what I just did, just search for the sales orders, to see them, and to open one of them up. These are all tables that I needed read access to, to have done that yourself from scratch by typing them in, it would have taken you forever. So the record functionality is really good. It’s given me exactly the permission I need. Now. It’s not letting me instead modify delete, because while I was recording, I didn’t insert. I didn’t modify, delete. Images.

30:40 Help & Support

Also had a question saying, how can I stop people adding Direct Debit Mandate to NAV. So if you’ve got people acting Direct Debit mandates that accessing a table and they have in Search Commission on that tip, you just need to figure out which table is it that they’re accessing and insert permission. You won’t know which table that is. Well, I’m on a Sales order here. If I press alt control F one on most computers, or I’m scared of using keyboard shortcuts, and I want you to do things along the way, I can say Help and Support. And it should pop up a new window where I can inspect this page. And it tells me a new little window is going to pop up on the side here. Hmm, Please, come up. There it is. I’m on the sales handout. So if I don’t want this user to be able to view sales headers, I will go back to that permission set, and I will remove the View access for sales. And if I don’t want them inserting a new one, I would remove the Insert Commission on the sales. So, you can always see exactly which table it is. And there’s a number 36. And you will notice on the permission sets, but it didn’t just have an amendment at that number as well. You can use either of them. My system seems to be getting slow.


Once we set up permissions and, you know, it’s been a year or two. And we want to start having a review. The auditors are asking some good questions. And they say, what permissions does Alex have? Well, I can come to Alex’s. And the first place we can see on is use a Code is which group C belongs to a more specifically. Those groups give permission sets. It’s getting there. So I can say, well, he’s got permission to do all these things. But I can be even more specific. I can say, Well, all these permissions down, you know, effectively, what they allow analytics to do. Click on the effective conditions, It’s building a report for me. This is going to tell me every table within the system that Alex can access and what kind of permission she has on that table. Also, underneath the tables is going to tell me which Pages Alex can see, which reports Alex has. Which code units Alex can learn? So, it’s gonna give me very specific information about what Alex can do.


I’ve also had another question. If you’ve got an Add-on, for example, continue document capture, can you give permissions on that as well? Yes, you can. So document capture, that has its own tables in the background. When you install that document capture, it has its own permission sets that it creates on your system that you can assign to use this document capture all of the permission set. Let’s start with CDC, continue document capture. And document output all start with CD and TVT customizations. Let’s start with TVT just so you know where they come from.


Coming back to Alex, I clicked on Effective Permissions. It is showing me every table that Alex can access and what kind of permission Alex has. And if I click on Currency, for example, it’s gonna change at the bottom Currency. Alex can reach, Insert, to modify, and delete. He gets read permission from all of these different permission sets is insert permission, he gets it from this permission set, and this commissions and this delete permission. Also comes from this permission, so I can see what Alex is allowed to do on my system, which is the permission sets that I’ve assigned to Alex. So this is very useful for answering questions, or for doing a bit of analysis for itself.

35:37 Matrix permissions view

That’s another useful place to have a look, and that’s conditional set by user. This is a different view of machines on your system. This is gonna be a kind of a matrix view. So, down the left, we will see all the permission sets that exist on my system. And across the top, we’ll see all the users on my system, and we’re going to see which uses have been assigned, which permissions. I have edit in Excel, you have Export to Excel, I can see that and try it out. Nothing, if I scroll down far enough will eventually find the things Andrea has access to. And the same things for creating, remember, we didn’t set him up with anything. We deleted all the permissions. But Alex, I can see exactly what Alex has. So I can look at it per use up the F, or I could say permission set soon as the super permission. And another user called Ian That’s not me, that’s, that’s my Alter Ego. So, again, this is a very useful report to give to an auditor, if you’re looking at on your screen. You probably have a lot more columns to me. Sometimes you can’t see them all.


There is an option in the process to move the screen to the right, you know, chose the wrong one, hits on the browse. I can go to the right, go to the left, show new columns when you use, So this is a good way of auditing, who has permission to watch. One that I have mentioned a couple of times is superuser, they can do anything on the system. Super can run any report, and post anything, and run any code unit. You really do not want all your users to have this permission. You want one user and a backup or two users in the backup to have this permission. There are another two permission sets to really keep a close eye on. Another one is called Super data, and the one called security, which lets that user assigned permissions to use super, super data security. You really want to limit who gets access to those. The other ones don’t have as much power, but you still need to be careful.


My recommendation to you is, if you have the time, or if you don’t have the time, you should really make the time to record permission sets for all the tasks that you want your users to do. Then you know exactly what that does, because you created it from scratch, rather than trying to guess what the marginal components do. If you really want to know what a Microsoft permissions set does, the only way is to drill in and see what the permissions.


If you go search online for documentation, you’re not going to find anything. Sadly, this is very poorly documented on Microsoft. And a lot of the stuff that you get from other people, it’s outdated. Because these permissions do change from time to time. So you might find an article that’s two years old, it says, Oh, this permission set can do this. In those two years, Microsoft might have changed that. So, the information that you can find online is a little bit unreliable and just not 100%. That’s why I say, create your own permission sets. Create your own user groups, and then you know exactly what’s going on. And if an auditor asks you, you can say with certainty, oh, this is hope that does, I know that’s what it does because I created from scratch.


And, finally, sometimes you’ve set up permissions and the user comes to you and says, oh, it won’t let me do. It won’t let me look at the general ledger. They’ve got an error message, that error message, if it says you do not have permission to, the problem is, you haven’t given the correct permissions. And, immediately after that, you don’t have an issue, too. It will tell you exactly which table, whether it’s read permission, inserted permission to the permission, normally is the issue. That’s needed.


You need to ask the user, or finance should be used to be doing this. If they should, you need to go into the sense, tweak one of the commission sense, to have that permission, or give them a new permissions, have understood, and perhaps that live department, nobody told you, and now, they shouldn’t be able to the customers, and nobody said we give them permission to local customers. Maybe you need to give them the accounts receivable admissions. So, the error messages for permissions that always start with the same keywords, you do not have permission to if you see that its permissions related.


I think that’s everything that I wanted to cover, and I’ve spent a little bit more time than I should have, but, Danusia do we have any more questions? Uh, the only last question we have got time for was about, what happens if somebody moved moves department. We also have another question that I’ll get you to talk about offline. If someone leaves the province, you’ve got two choices. You can take away all the machines and give them new permissions that are relevant to their new job role. Some companies, you might like that level of security, or you can choose just to add the new permissions to what they already have. It both has pros and cons, if you add permissions to what they already have, they can always step over and help that old department if somebody’s off sick or something, as they still have the permission. That’s fantastic. But you’ve got to be a little bit careful, because the old department, maybe it was the deposit, was raising purchase orders. And the new department is now paying vendors. Now, if somebody has permission to raise purchase orders and pain enders, that segregation of responsibilities, you might be making somebody upset making the product to upset the MD upset, perhaps. So you’ve got to use a bit of common sense and decide which approach is best for you. Perhaps it should be a company policy, this is the way we’re going to do it for everyone. It’s worth thinking about. That’s pretty much all I had for you guys.

43:02 Summary of considerations for user permissions

So just to finish off there, just some things to think about when you’re talking about user permissions within your organization. It’s the size of the organization that needs to be considered. As Ian has said, the smaller you are, the super user becomes relevant. The larger you are, you need to think about what is the access that’s required. And as mentioned several times about having that defined task test for a role. And if you know what people are doing, you know which permissions they need.


And so we have talked to quite a long time today. I’m surprised, I thought, maybe it would be shorter, but we’ve had quite a few questions. It’s obviously a subject that people are interested in, if you do have any further questions then get in touch. And, as I said, there was one question that we’ll be answering offline. It needed a bit more detail. So, thank you, everyone, for attending today. As always, the link will be sent out to the recording. I know a few people dropped of. This recording will be available on the website. In the next 24, 48 hours along with a transcript. Do sign up to upcoming webinars in the next few months. Thank you so much for attending tonight. Thank you, guys. Bye.