Authorizations in Business Central: innovative use of exclude rights

In Microsoft Dynamics 365 Business Central, user authorizations are managed through permission sets. These allow you to determine who has access to which tables, pages, and reports. Within these sets, you can use include and exclude permissions, each of which plays a different role in access management.

Include versus Exclude

• Include rights: explicitly grant access to particular objects or actions. For example, a user may read and edit a specific table;
• Exclude rights: explicitly block access to objects or actions, even if other right sets grant access.

Necessary: exclude rights always take precedence over include rights. If a user has access through another set but is blocked via an exclude right, the exclude prevails, and access is blocked.

Why exclude rights are indispensable in Business Central authorizations

The use of exclude rights within standard permission sets offers several advantages:

1. Manageability and scalability
   Standard sets manage general access. With exclude rights, you can manage exceptions in a granular way without creating a new set for each deviation.
2. Risk limitation
   Sensitive objects can be explicitly protected, even if users have broad access through a standard set of permissions.
3. Efficiency in authorization management
   You don’t need to create new include sets each time. One standard set, supplemented with exclude rights, is sufficient.
4. Consistency and reusability
   Standard sets are tested and maintained by Microsoft or partners. By only implementing corrections via exclude rights, you maintain consistency and reduce maintenance costs.
5. Auditing and compliance
   It is easier to demonstrate that access to sensitive data is explicitly blocked than to prove that access was never granted via include rights.

Practical example: purchasing versus sales

Suppose an employee is allowed to make purchases but is not permitted to view sales data.

• Role: purchasing employee;
• Standard rights set: D365 PURCH AGENT (access to purchasing functionality);
• Problem: this set also provides access to sales tables and pages, such as customer cards or sales orders, that this employee is not authorized to view.

Solution:

1. Assign the standard D365 PURCH AGENT set. This gives the employee all the necessary rights for purchasing;
2. Create a separate rights set with only exclude rights for sales data;
3. Assign both sets to the employee. The standard set provides access, but the exclude set explicitly blocks access to sales data.

Result:

• The employee has all necessary purchasing rights;
• Access to sales data is explicitly blocked;
• The exclude rights can be reused for other purchasing employees.

With exclude rights, you maintain control over exceptions without polluting the standard structure of rights sets. This makes authorization management in Business Central safer, more efficient, and more scalable.