This section details how user access is controlled through multiple layers of security in Business Central 25, with specific focus on the Muncipal manager implementation.
Permission Set Architecture
Standard Team Member Permission Sets
Essential Permission Sets:
-
TEAM MEMBER - Core Team Member functionality
-
D365 TEAM MEMBER - Standard Team Member access
-
D365 READ - Read access to common entities
Optional Permission Sets:
-
D365 JOURNALS, POST - If they need to post journals
-
TIMESHEET - For time tracking functionality
-
WORKFLOW APPROVAL - For approval processes
Custom Permission Set Creation
-
Go to "Permission Sets" page
-
Click "New"
-
Create custom permission set with required permissions
-
Assign to Team Members users as needed
Example Custom Permissions for Account Budget Overview:
Object Type: Table Data
Object ID: 15 (G/L Account)
Read Permission: Yes
Insert Permission: No
Modify Permission: No
Delete Permission: No
Object Type: Page
Object ID: 10008094 (Sve Account Budget Overview)
Read Permission: Yes
Insert Permission: No
Modify Permission: No
Delete Permission: No
Execute Permission: Yes
Access Control Implementation
1. Application Area Controls
The system uses Application Area settings to control feature availability:
Application Area Levels:
-
Basic - Standard access level for Team Members
-
Suite - Extended functionality (if assigned)
-
All - Full access (restricted to administrators)
Code Implementation:
ApplicationArea = Basic, Suite; // Standard access level
ApplicationArea = All; // Full access (admin level)
For Team Members:
-
Typically assigned Basic application area
-
Suite area for extended functionality
-
All area restricted to administrators
2. Field-Level Visibility Controls
Individual fields can be hidden from Team Members using visibility controls:
Implementation Example:
field(GlobalDimension1Code; Rec."Global Dimension 1 Code")
{
ApplicationArea = Basic, Suite;
Visible = false; // Hidden from user interface
}
Common Hidden Fields for Team Members:
-
Global Dimension codes (for security)
-
Posting group details
-
Advanced configuration fields
-
Balance at date details
3. Edit Restrictions
Entire sections can be made read-only for Team Members:
Implementation:
repeater(Control1)
{
Editable = false; // Prevents any editing
// Field definitions...
}
4. Income/Balance Categorization
The system uses specific enums to control access to different account types:
Income/Balance Categories:
-
Income - Operating accounts
-
Balance - Balance sheet accounts
Filter Options:
-
None - No filtering applied
-
Income - Income statement accounts only
-
Balance - Balance sheet accounts only
5. Dimension-Based Filtering
Access is controlled through dimension filters:
Municipal Dimension Management:
// Municipality dimension management
DimFilter := MunicipalityDimMgt.FindDim1Filter('FIN', '');
if DimFilter <> '' then begin
Rec.FilterGroup(8);
Rec.SetFilter("Global Dimension 1 Filter", DimFilter);
Rec.FilterGroup(0);
end;
For Team Members:
-
Automatic filtering based on assigned dimensions
-
Limited to specific organizational units
-
Cannot access all dimensional data
Specific Access Controls in Account Budget Overview
Page-Level Security (Page ID: 10008094)
Data Source Configuration:
SourceTable = "G/L Account";
SourceTableView = sorting("Income/Balance") order(ascending);
UsageCategory = Lists;
Edit Control:
-
Entire page set to
Editable = false -
No data modification allowed
-
Read-only access to all information
Visible Fields for Team Members
Financial Information:
-
Account Number
-
Account Name
-
Account Type
-
Net Change (with BlankZero formatting)
-
Budgeted Amount
-
Balance
-
Difference calculation (Budgeted Amount - Net Change)
-
Totaling information
Hidden Fields from Team Members
Administrative Fields:
-
Income/Balance classification (
Visible = false) -
Global Dimension 1 Code (
Visible = false) -
Global Dimension 2 Code (
Visible = false) -
Posting type details (
Visible = false) -
Business/Product posting groups (
Visible = false) -
Balance at Date details (
Visible = false)
Available Actions for Team Members
Navigation Actions Team Members Can Access:
-
Ledger Entries - View general ledger entries (read-only)
-
Receivables-Payables - View AR/AP information
-
Balance by Dimension - Dimensional balance analysis
-
Balance by Periods - Period-based balance analysis
-
G/L Balance - General ledger balance overview
Restricted Actions:
-
Comments (
Visible = false) -
Extended Texts (
Visible = false) -
Account Dimension Relation (
Visible = false) -
Field Class VAT Setup (
Visible = false)
Multi-Layer Security Architecture
Security Layer 1: License Level
-
Team Member license restrictions enforced by platform
-
Automatic blocking of unauthorized functions
-
License compliance monitoring
Security Layer 2: Application Area
-
Basic/Suite area assignments
-
Feature availability control
-
Function-level restrictions
Security Layer 3: Permission Sets
-
Object-level permissions (tables, pages, reports)
-
CRUD operations control (Create, Read, Update, Delete)
-
Execute permissions for pages and reports
Security Layer 4: Field Visibility
-
Individual field access control
-
Visible = false properties
-
Administrative field protection
Security Layer 5: Data Filtering
-
Dimension-based filtering at system level
-
Municipal boundary enforcement
-
Department-level restrictions
Municipal-Specific Security Features
Automatic Data Filtering
Municipality Assignment:
-
Users automatically filtered to their assigned municipality
-
Dimension filter applied at FilterGroup(8) - system level
-
Cannot access other municipal data
Performance Optimization:
// Only show accounts with activity
if Rec."Net Change" <> 0 then
Rec.Mark(true)
else begin
Rec.CalcFields("Budgeted Amount");
if Rec."Budgeted Amount" <> 0 then
Rec.Mark(true)
Benefits:
-
Faster page loading by showing only relevant accounts
-
Reduced data volume for Team Members
-
Focus on accounts with activity or budget
Field Class System Security
Available Field Classes:
-
Balance Sheet Field Classes
-
Income Sheet Field Classes
-
VAT Setup by Field Class (restricted for Team Members)
Access Levels:
-
Team Members: View field class assignments only
-
Cannot modify field class VAT setup
-
Cannot change field class configurations
Runtime Security Implementation
Page Design Security Features
Field Styling and Access Control:
field("Nr."; Rec."No.")
{
Style = Strong;
StyleExpr = NoStyleExpr; // Bold for non-posting accounts
}
field(Mismunur; Rec."Budgeted Amount" - Rec."Net Change")
{
AutoFormatType = 1; // Currency formatting
BlankZero = true; // Hide zero values
Caption = 'Difference';
Editable = false; // Cannot be modified
}
Security Validation
Runtime Checks:
-
License type verification before page access
-
Permission set validation for each action
-
Dimension filter application
-
Field visibility enforcement
Best Practices for Team Member Security
1. Principle of Least Privilege
-
Assign minimum permissions required
-
Regular permission audits
-
Remove unused permission sets
-
Monitor permission usage
2. Layered Security Approach
-
Combine multiple security layers
-
Don't rely on single security method
-
Implement defense in depth
-
Regular security reviews
3. Dimensional Security Strategy
-
Plan dimension hierarchies carefully
-
Use system-level filters (FilterGroup 8)
-
Document dimension assignments
-
Regular dimension access reviews
4. Monitoring and Compliance
-
Track license usage
-
Monitor access patterns
-
Audit permission changes
-
Maintain compliance documentation
5. Documentation and Training
-
Document all permission assignments
-
Train administrators on security principles
-
Provide user guidance on limitations
-
Maintain security procedures