User Permissions and Security

This section details how user access is controlled through multiple layers of security in Business Central 25, with specific focus on the Muncipal manager implementation.

Permission Set Architecture

Standard Team Member Permission Sets

Essential Permission Sets:

  • TEAM MEMBER - Core Team Member functionality

  • D365 TEAM MEMBER - Standard Team Member access

  • D365 READ - Read access to common entities

Optional Permission Sets:

  • D365 JOURNALS, POST - If they need to post journals

  • TIMESHEET - For time tracking functionality

  • WORKFLOW APPROVAL - For approval processes

Custom Permission Set Creation

  1. Go to "Permission Sets" page

  2. Click "New"

  3. Create custom permission set with required permissions

  4. Assign to Team Members users as needed

Example Custom Permissions for Account Budget Overview:

Object Type: Table Data
Object ID: 15 (G/L Account)
Read Permission: Yes
Insert Permission: No
Modify Permission: No
Delete Permission: No

Object Type: Page
Object ID: 10008094 (Sve Account Budget Overview)
Read Permission: Yes
Insert Permission: No
Modify Permission: No
Delete Permission: No
Execute Permission: Yes

Access Control Implementation

1. Application Area Controls

The system uses Application Area settings to control feature availability:

Application Area Levels:

  • Basic - Standard access level for Team Members

  • Suite - Extended functionality (if assigned)

  • All - Full access (restricted to administrators)

Code Implementation:

ApplicationArea = Basic, Suite;  // Standard access level
ApplicationArea = All;           // Full access (admin level)

For Team Members:

  • Typically assigned Basic application area

  • Suite area for extended functionality

  • All area restricted to administrators

2. Field-Level Visibility Controls

Individual fields can be hidden from Team Members using visibility controls:

Implementation Example:

field(GlobalDimension1Code; Rec."Global Dimension 1 Code")
{
    ApplicationArea = Basic, Suite;
    Visible = false;  // Hidden from user interface
}

Common Hidden Fields for Team Members:

  • Global Dimension codes (for security)

  • Posting group details

  • Advanced configuration fields

  • Balance at date details

3. Edit Restrictions

Entire sections can be made read-only for Team Members:

Implementation:

repeater(Control1)
{
    Editable = false;  // Prevents any editing
    // Field definitions...
}

4. Income/Balance Categorization

The system uses specific enums to control access to different account types:

Income/Balance Categories:

  • Income - Operating accounts

  • Balance - Balance sheet accounts

Filter Options:

  • None - No filtering applied

  • Income - Income statement accounts only

  • Balance - Balance sheet accounts only

5. Dimension-Based Filtering

Access is controlled through dimension filters:

Municipal Dimension Management:

// Municipality dimension management
DimFilter := MunicipalityDimMgt.FindDim1Filter('FIN', '');
if DimFilter <> '' then begin
    Rec.FilterGroup(8);
    Rec.SetFilter("Global Dimension 1 Filter", DimFilter);
    Rec.FilterGroup(0);
end;

For Team Members:

  • Automatic filtering based on assigned dimensions

  • Limited to specific organizational units

  • Cannot access all dimensional data

Specific Access Controls in Account Budget Overview

Page-Level Security (Page ID: 10008094)

Data Source Configuration:

SourceTable = "G/L Account";
SourceTableView = sorting("Income/Balance") order(ascending);
UsageCategory = Lists;

Edit Control:

  • Entire page set to Editable = false

  • No data modification allowed

  • Read-only access to all information

Visible Fields for Team Members

Financial Information:

  • Account Number

  • Account Name

  • Account Type

  • Net Change (with BlankZero formatting)

  • Budgeted Amount

  • Balance

  • Difference calculation (Budgeted Amount - Net Change)

  • Totaling information

Hidden Fields from Team Members

Administrative Fields:

  • Income/Balance classification (Visible = false)

  • Global Dimension 1 Code (Visible = false)

  • Global Dimension 2 Code (Visible = false)

  • Posting type details (Visible = false)

  • Business/Product posting groups (Visible = false)

  • Balance at Date details (Visible = false)

Available Actions for Team Members

Navigation Actions Team Members Can Access:

  • Ledger Entries - View general ledger entries (read-only)

  • Receivables-Payables - View AR/AP information

  • Balance by Dimension - Dimensional balance analysis

  • Balance by Periods - Period-based balance analysis

  • G/L Balance - General ledger balance overview

Restricted Actions:

  • Comments (Visible = false)

  • Extended Texts (Visible = false)

  • Account Dimension Relation (Visible = false)

  • Field Class VAT Setup (Visible = false)

Multi-Layer Security Architecture

Security Layer 1: License Level

  • Team Member license restrictions enforced by platform

  • Automatic blocking of unauthorized functions

  • License compliance monitoring

Security Layer 2: Application Area

  • Basic/Suite area assignments

  • Feature availability control

  • Function-level restrictions

Security Layer 3: Permission Sets

  • Object-level permissions (tables, pages, reports)

  • CRUD operations control (Create, Read, Update, Delete)

  • Execute permissions for pages and reports

Security Layer 4: Field Visibility

  • Individual field access control

  • Visible = false properties

  • Administrative field protection

Security Layer 5: Data Filtering

  • Dimension-based filtering at system level

  • Municipal boundary enforcement

  • Department-level restrictions

Municipal-Specific Security Features

Automatic Data Filtering

Municipality Assignment:

  • Users automatically filtered to their assigned municipality

  • Dimension filter applied at FilterGroup(8) - system level

  • Cannot access other municipal data

Performance Optimization:

// Only show accounts with activity
if Rec."Net Change" <> 0 then
    Rec.Mark(true)
else begin
    Rec.CalcFields("Budgeted Amount");
    if Rec."Budgeted Amount" <> 0 then
        Rec.Mark(true)

Benefits:

  • Faster page loading by showing only relevant accounts

  • Reduced data volume for Team Members

  • Focus on accounts with activity or budget

Field Class System Security

Available Field Classes:

  • Balance Sheet Field Classes

  • Income Sheet Field Classes

  • VAT Setup by Field Class (restricted for Team Members)

Access Levels:

  • Team Members: View field class assignments only

  • Cannot modify field class VAT setup

  • Cannot change field class configurations

Runtime Security Implementation

Page Design Security Features

Field Styling and Access Control:

field("Nr."; Rec."No.")
{
    Style = Strong;
    StyleExpr = NoStyleExpr;  // Bold for non-posting accounts
}

field(Mismunur; Rec."Budgeted Amount" - Rec."Net Change")
{
    AutoFormatType = 1;       // Currency formatting
    BlankZero = true;         // Hide zero values
    Caption = 'Difference';
    Editable = false;         // Cannot be modified
}

Security Validation

Runtime Checks:

  • License type verification before page access

  • Permission set validation for each action

  • Dimension filter application

  • Field visibility enforcement

Best Practices for Team Member Security

1. Principle of Least Privilege

  • Assign minimum permissions required

  • Regular permission audits

  • Remove unused permission sets

  • Monitor permission usage

2. Layered Security Approach

  • Combine multiple security layers

  • Don't rely on single security method

  • Implement defense in depth

  • Regular security reviews

3. Dimensional Security Strategy

  • Plan dimension hierarchies carefully

  • Use system-level filters (FilterGroup 8)

  • Document dimension assignments

  • Regular dimension access reviews

4. Monitoring and Compliance

  • Track license usage

  • Monitor access patterns

  • Audit permission changes

  • Maintain compliance documentation

5. Documentation and Training

  • Document all permission assignments

  • Train administrators on security principles

  • Provide user guidance on limitations

  • Maintain security procedures