Skip to main content

Mission Control - Using Permission Sets to protect Workflow Actions in BC - Knowledgebase / Mission Control / Mission Control Documentation - Cavallo Technical Support

Mission Control - Using Permission Sets to protect Workflow Actions in BC

Authors list

When using Mission Control Workflow within Business Central, it may be preferable to restrict the actions accessible to a user in Business Central and enable Mission Control to automate those actions. The most effective way to achieve this goal is by utilizing Business Central permission sets to control the actions that a user can take.

Official Microsoft Documentation:


Building Reusable Exclusionary Permission Sets
Business Central's permissions are grouped together using "OR" statements meaning if one of the permission sets (D365 Bus Full Access) gives access to a feature and another permission set removes it, the feature will be included because at least one of the permission sets assigned to the user has access to the feature. The correct way to revoke permissions is to build 2 new permission sets. The first will be a reusable list of restrictions and the second will contain our base Business Central permissions while including the restrictions set. By building restrictions out in this way, the restriction set can be modified and reused over time and eliminate the need to add restrictions to every new permission set. The below steps are an example of how to build this functionality out within Business Central:

1. Search Permission Sets in Business Central's global navigation

xzLhQyrHCUT3yj7l3U922JuMkvACVFoX.gif?access_token=sncl9p-cszvvsuymg-992bba682b8d6e9091701486e4e6dd1cf6f6e493

2. Select "New" and proceed to give the permission set a unique name. For this first example, we are building out a restrictions set containing all permissions we wish to revoke from a specific role.

4MT1i8fdhtm7n8LfyrpUazgEl2xLuuNj.gif?access_token=sncl9q-uxqnmkcaji-476f08a572377accb624ef0b709b4ff743cf5be6
In the above example, the restrictions set contains the following codeunits:

X41nUXlTjAvuY44QtflTz3MGRwqHwhOE.png?access_token=sncl9p-clohpsjkeb-2855bf6afddf042afe72239d6078bf1ecce2ed2f

3.Once the restrictions set is in place, create another new permission set and give it a unique name. In the below example, we will name the permission sets according to the role of the user:

BX8OiT5BEHcwEVKJJz5k3oGBSsLy1mu4.gif?access_token=sncl9o-ljuskkwwmg-4a4b17ef7b140be05683065f70fd182c3af48a32 The below example is the finished permission set that will allow my user access to D365 full access with the exception of the ability to release documents, post sales invoices and run warehouse actions.

0ROhCuIsqj70irWw5Hgssw0zFBK7JCKy.png?access_token=sncl9p-tgdskbtmko-8c10df76099ab565afde4d2eea0952bda84b8e3d

4. To assign these permissions to a user, navigate to the global search and type "users". Select a user to edit, then add the newly created permission set to any of the users in the company and remove their old base Business Central permission set (D365 Bus Full Access in this case). Failure to remove the base permission set will still allow the user to complete all restricted actions due to conflicting sets being in place.

t0TotZl1Mp9ZV5OE8U8ZvdVkah5sfADO.gif?access_token=sncl9r-yucefgvmru-a9bf78cde4cf6f4a8561116eb35d27be5cc32aca

The user now has the new sales role permission set:

5ghxcDD5gPeDa0frCQwZYCSfn12FOcbq.png?access_token=sncl9t-vgepsmaxil-b9c51600be9709ac16496532fdda47cab7f6aa55



For a more in depth review of permission sets, please contact your Microsoft Partner or refer the links at the top of this page.

Helpful Unhelpful