Mission Control - Using Permission Sets to protect Workflow Actions in BC

When using Mission Control Workflow within Business Central, it may be preferable to restrict the actions accessible to a user in Business Central and enable Mission Control to automate those actions. The most effective way to achieve this goal is by utilizing Business Central permission sets to control the actions that a user can take.

Official Microsoft Documentation: 

• Developer Level Documentation
• User Level Documentation

---

Building Reusable Exclusionary Permission Sets
Business Central's permissions are grouped together using "OR" statements meaning if one of the permission sets (D365 Bus Full Access) gives access to a feature and another permission set removes it, the feature will be included because at least one of the permission sets assigned to the user has access to the feature. The correct way to revoke permissions is to build 2 new permission sets. The first will be a reusable list of restrictions and the second will contain our base Business Central permissions while including the restrictions set. By building restrictions out in this way, the restriction set can be modified and reused over time and eliminate the need to add restrictions to every new permission set.  The below steps are an example of how to build this functionality out within Business Central:

1. Search Permission Sets in Business Central's global navigation

2. Select "New" and proceed to give the permission set a unique name. For this first example, we are building out a restrictions set containing all permissions we wish to revoke from a specific role.

In the above example, the restrictions set contains the following codeunits:

3.Once the restrictions set is in place, create another new permission set and give it a unique name. In the below example, we will name the permission sets according to the role of the user:

 The below example is the finished permission set that will allow my user access to D365 full access with the exception of the ability to release documents, post sales invoices and run warehouse actions.

4. To assign these permissions to a user, navigate to the global search and type "users". Select a user to edit, then add the newly created permission set to any of the users in the company and remove their old base Business Central permission set (D365 Bus Full Access in this case). Failure to remove the base permission set will still allow the user to complete all restricted actions due to conflicting sets being in place. 

The user now has the new sales role permission set:

---

For a more in depth review of permission sets, please contact your Microsoft Partner or refer the links at the top of this page.