Special permission sets

The following permission sets have special definitions that you should be aware of as you implement permissions and security for Business Central users.

Permission set Definition
SUPER Can read, use, update, and delete all data and all application objects in the scope of your license. Business Central requires that at least one user is assigned this permission set in each database.

The first user created is automatically assigned the SUPER Permission Set

You can't modify permissions for the SUPER permission set.

Running a synchronization of users from Microsoft 365 using the Update Users from Microsoft 365 guide, requires the SUPER permission set.
SUPER (DATA) Can read, use, update, and delete all data in the scope of your license. You typically assign this permission set to an accounting manager who needs to work with all data but doesn't need to change Business Central.
SECURITY Manage the permission sets that are assigned to your account. When assigned this permission set, you can:
  • Create new users and assign them any permission set that is also assigned to your account.
  • Remove a permission set from a user as long as the permission set is also assigned to your account.
  • Modify individual permission granted by a permission set as long as the permission set is also assigned to your account.
The idea behind this permission set is to prohibit you from granting users more permissions than you have. The permission set is useful for SUPER users or administrators who want to delegate permission management to team administrators. For example, a sales manager can assign permissions in sales area to sales people, sales assistant, sales coordinator, and so on.
BASIC Grants Read access to almost all application tables and all system tables.

The main purpose of this permission set is to enable the service to open and show all pages.

Note: This permission set is available only for Business Central on-premises.
D365 BASIC Grants Read access to almost all application tables and all system tables.

The main purpose of this permission set is to enable the service to open and show all pages.
FOUNDATION UI A prerequisite for all other permission sets. The FOUNDATION permission set grants access to system tables and application setup tables that are required for most application features to work. Note: This permission set is recommended when using the UI Elements Removal feature to automatically remove UI elements according to user permissions. For more information, see Removing Elements from the User Interface According to Permissions.

Note: This permission set is available only for Business Central on-premises.
SYSTEM APP - BASIC Grants access to most features of the system application and is required for sign in to Business Central.
SYSTEM APP - ADMIN Grants full permissions to all features of the System Application.
LOGIN Grants the minimum permissions to application and system objects that needed to sign in to Business Central. Use the permission set to allow users to sign in to Business Central without accidentally granting them permissions beyond those required by their tasks. By granting this permission set, the user will always be able to sign in.

Note: This permission set doesn't grant access to a Role Center. It only allows the user to sign in to Business Central.
USERGROUP Note: This permission set is deprecated in Business Central online. Use the SECURITY permission set instead.

This permission set allows you to manage memberships and permissions for users in user groups in Business Central on-premises.

Removing elements from the user interface according to permissions