Permissions on Database Objects

This section provides an overview of permissions on objects in Dynamics 365 Business Central.

Permissions

If you have been granted permission to read a page, then you can open the page and view the data that it displays. If, however, you do not have write permission, you are not allowed to enter data into this page.

Sometimes, when you open a page it displays information from several tables. To access this page, you must have permission to view all the data displayed by the page. You might not have permission to read directly from all the tables that the page uses. In this case, you must have indirect permission to read from the tables in question. Having indirect permission to a table means that you cannot open the table and read from it but can only view the data it contains indirectly through another object, such as a page or report, that you have direct permission to access.

Dynamics 365 Business Central has a number of standard predefined security permission sets. You can use these permission sets as defined or you can change a permission sets to suit your particular needs. You can also create your own permission sets and assign them the permissions that you want.

Permissions on Objects

The following table describes the permissions that can be assigned for specific objects. When assigning permissions by using the object types PermissionSet Object and PermissionSet Extension Object these permissions have been shortened. The table illustrates the abbreviations used.

Permissions on tabledata are specified with the following abbreviations:

Permission Description Abbreviation in AL
Read You can read data. R for direct read access, r for indirect read access.
Insert You can insert data. I for direct insert permission, i for indirect insert permission.
Modify You can modify data. M for direct modify permission, m for indirect modify permission.
Delete You can delete data. D for direct delete permission, d for indirect delete permission.

Permissions on all objects are specified with the following abbreviations:

Permission Description Abbreviation in AL
Execute You can run this object. X for direct execute permissions, x for indirect execute permissions.

Wildcard

The wildcard can be used as a shortcut to assign multiple permissions at a time, such as:

Permissions = codeunit * = X;

Important

The wildcard must be used with caution, because when it is used in a permission set it grants the permission to all objects of that type across all permissions. If a permission set with a wildcard is included in an entitlement, it only covers the objects of that type in the current extension.

Example

All of the permissions illustrated above can be combined into a group of permissions for any given object. For example:

...
Permissions =     
    tabledata Customer = RIMD,        // Full access
    tabledata "Payment Terms" = RMD,  // Full read, modify, and delete access - no insert
    tabledata Currency = rimd,        // Full indirect access
    tabledata "Sales Header" = RIM,   // full read, insert, and modify access - no delete
    tabledata "Sales Line" = RIMD,    // Full access
    report "Sales Statistics" = X;    // Full access
...

Get Started with AL
Entitlements and Permission Set Overview
Permission Set Object
Permissions on Database Objects