Permission set object

APPLIES TO: Business Central 2021 release wave 1 (v18.0) and later

The permission set object in Business Central describes permissions on objects. Permission sets are building blocks used to compose assignable permission sets and entitlements. Assignable permission sets are permissions that an admin can assign to users in Business Central, using the Permission Sets page. An entitlement is a collection of permission sets that constitute a set of meaningful permissions for a user.

Some permission sets can be nonassignable, meaning that they aren't discoverable and assignable in the UI in Business Central, instead they can be used as building blocks to compose functional assignable permission sets.

For information about which permissions can be assigned to objects, see Permissions on Database Objects.

Designing with cautiousness

If a permission set is extended through AL, the extension makes additive changes to the permission set. This behavior means that an extension can provide elevated privileges to an otherwise limited set of permissions. Building permission sets that can be extended must be done carefully with this behavior in mind.

Snippet support

Typing the shortcut tpermissionset creates the basic layout for a permission set object when using the AL Language extension for Microsoft Dynamics 365 Business Central in Visual Studio Code.

Tip

Use Ctrl+Space to trigger IntelliSense and get assistance on code completion, parameter info, quick info, and member lists. For more information about snippets, see Syntax and snippets.

Generate permission set for an object

APPLIES TO: Business Central 2022 release wave 2 and later

When adding new AL objects, it's easy to forget to update the permissions. With the al.generatePermissionSetForExtensionObjects command, you can generate or update a permission file for the active project in Visual Studio Code. Choose to create a new permission file or select an existing file to make updates to. For more information, see AL Language extension configuration.

Permission set example

The following example illustrates a permission set Sales Person with permissions given to data in tables, each with different level of access. The Assignable property is set to true, which allows the permission set to be assigned to a user. The Permissions property is set to the list of objects to give permissions to. The RIMD access assigned to data in the Customer table provides full access, whereas, for example, access is limited for data in the Currency table only allowing full read and modify permission.

Note

The name of the permissionset object is limited to 20 characters when the Assignable property is set to true. Otherwise, it's limited to 30 characters. Exceeding the limit will throw the diagnostic Compiler Error AL0305.

permissionset 50134 "Sales Person"
{
    Assignable = true;
    Caption = 'Sales Person';

    Permissions = 
        tabledata Customer = RIMD,
        tabledata "Payment Terms" = RMD,
        tabledata Currency = RM,
        tabledata "Sales Header" = RIM,
        tabledata "Sales Line" = RIMD;
}

The following example of a permission set illustrates assigned permissions to run codeunits. With the IncludedPermissionSets property, we specify that the permission set Sales Person is also included in MyPermissionSet.

permissionset 50135 MyPermissionSet 
{ 
    Assignable = true;
    Caption = 'My PermissionSet';
    IncludedPermissionSets = "Sales Person"; 

    Permissions = 
        tabledata Vendor = RIm,
        codeunit SomeCode = x, 
        codeunit AccSchedManagement= X; 
} 

You can also use the ExludedPermissionSets property to exclude permissions defined in other permission sets. To learn more, see Composing permission sets From other permission sets.

Developing extensions
AL development environment
Entitlements and permission set overview
Permission set extension object
Permissions on database objects
Assignable property
IncludedPermissionSets
Permissions property