Our Approach to User Groups & Permission
Hi Readers,
In this post, I will go through the approach we have used to configure user groups & permissions.
Big thanks to Mohammed Harunani for his contribution into the post (Mohammed - Linked In).
1. Collect user data from client
We collect the user data from the client in form of an excel file in sample format below
| Name | License Type | Role | Department | Company | Responsibilities | |
| John Doe | john.doe@bladeinc.com | Full User | Procurement Assistant | Supply Chain | Blade Inc. |
Monitoring stock levels,Tracking purchase orders,Receipt of goods into organizations,Researching vendors |
| Ann May | ann.may@bladeinc.com | Full User | Procurement Assistant | Supply Chain | Blade Inc. |
Monitoring stock levels,Tracking purchase orders,Receipt of goods into organizations,Researching vendors
|
| Emily Watson | emily.watson@bladeinc.com | Limited User | Business Development Exceutive | Sales | Blade Inc. |
Getting new leads,Identify new opportunities,Creating a sales pipeline,Providing quotes |
| Frank Hammond | frank@bladeinc.com | Full User | Accountant | Finance | Blade Inc. |
Posting Journal Entries,Invoicing vendors |
| John Shaw | johnshaw@bladeinc.com | Full User | Senior Accountant | Finance | Blade Inc. |
Preparation of financial statements, Preparation of tax documents,Bank reconciliations, Manage payroll |
2. Grouping similar user with functions into user groups
Based on above we will have group the users with similar functions into user groups. In our case we will have four user groups as below:
| Name | Role | User Group |
| John Doe | Procurement Assistant | PROC-ASSISTANT |
| Ann May | Procurement Assistant | PROC-ASSISTANT |
| Emily Watson | Business Development Exceutive | BUS-DEVT |
| Frank Hammond | Accountant | ACCOUNTANT |
| John Shaw | Senior Accountant | SEN-ACCOUNTANT |
3. Create user groups/security groups in the system
A. User Groups
We create the user groups based on the above grouping in the system
B. Security Groups
PS: In BC 22 ( Release Wave 1 2023), security groups were introduced as a replacement for user groups
i. SaaS
A security group will need to be created in the Microsoft admin center
Read more from Microsoft website - How to add, edit & delete security groups - Microsoft
In Business Central, search for security groups and click on new. Pick the security group from the Microsoft Entra security groups field as shown below.
The security groups created in the admin center should be available
ii. On-Prem
For on-premises, security groups are only supported if the deployment is using Windows authentication. To create security groups for on-premises, use Windows Active Directory groups. Choose the group in the Windows group name field as shown below
4. Create Permission Sets and assign to User Groups/ Security Groups
A. BC 21 ( Release Wave 2 2022) and above
In BC 21, Microsoft added the ability to add permissions to permission sets. Rather than adding permissions individually, you can add entire permission sets.
This means we can create a permission set for a user group and add all the related permissions inside the permission set.
The permission sets will be created as follows (Type marked as User-Defined).
Click on Permissions at the top. For this example, i will use the PROC-ASSISTANT permission.
The improved Permission Set page is as shown below.
The permission required can be added on permission set section on the bottom left as seen below.
The permission set can then be assigned to the user group/security group
User Group
In the User Group List, click on Permissions at the top for the user group you wish to assign permissions to.
Pick the permission from the permission set list.
Security Group
In the Security Group List, click on Permissions at the top for the user group you wish to assign permissions to.
Assign the permission set to that security group.
B. BC 20 ( Release Wave 1 2022) and below
In this versions, the permission set did not have the ability to be grouped together in a single permission set. Example below for Accountant User Group.
All the permissions required are added on the User Group Permission Sets of the specific user group as opposed to adding the single permission set in BC 21 and above.
5. Additional tables required during implementation (optional)
Sometimes after implementation, you may want to give read, insert, modify or delete access of a certain table to a specific user group depending on your situation
A. BC 21 ( Release Wave 2 2022) and above
For example, the procurement assistant has had the ability to maintain the item categories master list delegated to them. Therefore, they would require ability to modify, insert and delete that table.
In the permission set, add the table in the Permissions section as shown below.
You can assign the read, insert, modify and delete permissions as per the scenario required.
You can add more tables if required.
B. BC 20 ( Release Wave 1 2022) and below
Create a new permission set with suffix of ADD to indicate additional table for that user group. Click on permissions at the top and add the tables similar to the example above
Add the permission to the already existing standard user group permission sets of that user group. If you require any additional tables, you can keep on adding into the created permission set.
6. Restrict access during implementation (optional)
During implementation, you may be required to restrict access to certain data. e.g for the chart of accounts.
For our procurement, our instruction was they should not be able to view the list of chart of accounts, customers and fixed assets. I will check the page numbers for the list.
Chart of Accounts - Chart of Accounts (16, List)
Customers - Customer List (22, List)
Fixed Assets - Fixed Asset List (5601, List)
A. BC 21 ( Release Wave 2 2022) and above
In the permission section, I will use the Type : Exclude with the Object Type : Page and pick the page numbers of what I intend to restrict as seen below.
This will ensure that when the user searches for Chart of Account, it will be hidden to the user.
You can identify other sensitive pages to hide e.g Customer Ledger Entries, General Ledger Entries among others.
B. BC 20 ( Release Wave 2 2022) and below
The function to restrict access like above is not available below BC 20 standard.
You can explore options : customization, use of security filters (Security Filters - Microsoft) or a workaround i had used but requires alot of manual work.
i. Copy the D365 Basic Permission.
ii. Edit the D365 Basic Permission. and remove the Page 0 permission which grants access to all pages
iii. Create a D365 Pages Basic Permission without all the sensitive pages.
iv. Create various Pages Permission Set e.g Customer Pages Permission Set with access to pages for customer data e.g Customer, Customer Ledger Entries, Detailed Ledger Entries etc
v. Assign to the various user groups as per restriction.
7. Assign users to the user groups/security groups
User Groups
On the user groups list, click on Members at the top after selecting the specific user group.
Click on Add Users.
Pick the user from the list and click on OK. They will be populate as below.
If you have several companies, you can change the company and add users also.
You can also add user group membership on the user card and the applicable company. Blank Company means access to all companies.
Security Groups
The members pick automatically from the Admin center/Windows.
This marks the end of the approach I use to user groups and permission sets.