If you really were burning to find and read one more piece of teaching on permissions and access to BC, your search can end 🙂
Overview of concepts related to access to BC
With BC 2023 wave 1 Microsoft introduces the concept of security groups. With security groups, it is easier, as you’ll see in this blog post, to manage user permissions.
But, before jumping to Security Groups let’s review what Microsoft added to Business Central in terms of permissions.
First, Composed Permission Sets. Now you can create a new permission set from two or more existing permission sets with IncludePermissionSets and ExcludePermissionSets attributes. Check the MS Learn page here.
Next, Microsoft introduced the concept of Inherent Permissions. Check this Microsoft Learn page to find out details.
Third, is the Fast User Sync. What is this? Microsoft worked on improving the following functionality in Business Central. On Users list page, there is an action “in Microsoft “Update Users from Microsoft 365”:
This action used to loop through all Microsoft 365 aka Azure AD and pull all users done in Business Central. With the latest changes, more specifically with the changes in codeunit “Azure AD User Sync Impl.” Microsoft now brings in BC only users with a Business Central license.
Lastly, we reach the topic of this blog post, the Security Groups.
“Security groups make it easier for administrators to manage user permissions. For example, for Business Central online, they’re reusable across Dynamics 365 applications, such as SharePoint Online, CRM Online, and Business Central. Administrators add permissions to their Business Central security groups, and when they add users to the group the permissions apply to all members. For example, an administrator can create a Business Central security group that gives salespeople the ability to create and post sales orders. Or, let purchasers do the same for purchase orders.”
Just like User Groups, with Security Groups, once created you add permissions sets and members.
The difference is that User Groups are a Business Central concept, and they only exist in Business Central, wehereas Security Groups are created first in Microsoft 365 or Azure Actve Directory if you have Business Central Online, or you create a group in Windows Active Directory first.
Once (Security) Group is created in the Azure AD or Windows AD, you can pull it in Business Central.
Let’s see how that works. Will focus on the Business Central online use case.
Create Microsoft 365 Security Group
1. Navigate to Microsoft 365 Admin Center
2. Under Teams & Groups, Active Teams & Groups, click on Add Group under Microsoft 365:
And we are welcomed with a wizard for creating the group:
For Group Type use Security. There are other groups there, which could be useful for creating a distribution email inbox for a group inbox; for Teams conversations you can create a group of type Microsoft 365.
Name the new group:
Once security group created you can add owners/members to it.
Pull Security Group in BC
Search for Security Groups page, and click on + New.
Lookup … one of the existing security groups in Microsoft 365, and assign permission sets to the group.
For more information and details, check out my video.
Transition from User Groups to Security Groups
Feature Management contains an entry for migration from User Groups:
“Convert user groups permissions”.
To see how the migration works, enable it for all users and run through the wizard.
At the end of the wizard you could end up in one of two cases:
- permission sets belonging to the user group will be transitioned under each user in the user group
- permission sets belonging to the user group are composed and the resultant permission set is added to each user in the group.
- The user group is removed and the fasttab for user groups are hidden on user card.
For more information and details watch my video.
Before I go
The Security Groups will be turned on to be the default method of accessing BC in version 25.
There is time to test and decide the best way to set up your security groups and the permission sets.
You should also find time to get used to concepts like:
- composing permission sets
- inherent permissions
Wish you, all my readers, the best!