Exclude permissions from wildcard permission sets
Important
This content is archived and is not being updated. For the latest documentation, go to What's new and planned for Dynamics 365 Business Central. For the latest release plans, go to Dynamics 365 and Microsoft Power Platform release plans.
| Enabled for | Public preview | General availability |
|---|---|---|
| Admins, makers, marketers, or analysts, automatically | - | 
Jan 6, 2023 |
Business value
Tailoring permissions to fit your business needs is important to businesses that want to manage their Business Central data safely and securely. For administrators (and partners), this can be a daunting task in terms of the number of objects they must grant permissions to and understanding the overall system. In practice, your needs may be close to some off-the-page permission set, but you simply want to exclude access from a few specific places for specific users.
Feature details
Starting with 2022 release wave 2, you can compose permission sets by including and excluding different permissions and permission sets from the list of effective permissions for a user.
Off-the-page permission sets come with permission sets that grant execute permissions to all non-table data objects making "all, but specific objects" scenarios difficult to set up.
You can now exclude specific permissions from permission sets that grant access to all objects of a certain type (wildcard permissions sets). One such permission set that gets assigned by default to many off-the-page permission sets through the D365 BASIC permission set is BASEAPP OBJECTS - EXEC, which grants execute access to all non-table data application objects.
For example, say you want users to be able to post documents to the general ledger, but you don't want them to be able to view general ledger entries. In a copy of the D365 BASIC permission set, you can now exclude execute access to the General Ledger Entries page that comes from the BASEAPP OBJECTS - EXEC wildcard permission set.
You can explore which permissions a permission set grants by choosing View all permissions on the Permission Set page.
Tell us what you think
Help us improve Dynamics 365 Business Central by discussing ideas, providing suggestions, and giving feedback. Use the forum at https://aka.ms/bcideas.