How to: Create or Modify Permission Sets

If the default permission sets that are provided with Microsoft Dynamics NAV are not sufficient or not appropriate for your organization, then you can create new permission sets. If the individual object permissions that define a permission set are not adequate, then you can modify a permission set.

Note

Depending on the setting in the UI Elements Removal field in the Microsoft Dynamics NAV Server Administration tool, only UI elements on objects in the license or on objects that the user has permissions for will appear in the user interface. For more information, see Removing Elements from the User Interface According to Permissions. The majority of the permission sets that are provided with the CRONUS demonstration database cannot be combined with the FOUNDATION permission set to fully use the UI Elements Removal feature. You must first create or edit the relevant permission sets to avoid that the user is blocked from performing the involved tasks.

You can create a permission set manually, or you can record permissions by navigating in the application.

Creating or Modifying Permission Sets

To create or edit a permission set

  1. In the Search box, enter Permission Sets, and then choose the related link.

  2. In the Permission Sets window, choose New.

  3. In the Permission Sets window, type a name for the new permission set in the Permission Set field and a brief description in the Name field.

    The name of the new permission set is automatically formatted in all uppercase letters.

  4. On the User Permission Sets FastTab, on the toolbar, choose Permissions.

  5. In the Permissions window, type or select a value in the Object Type field on the first line in the list.

    Note

    If you would prefer to select from list that shows all database objects, on the Home tab, in the New group, choose All Permissions.

  6. In the Object ID field, enter the object that you want to define permissions for.

  7. Fill in the five fields for the different permission types as described in the following table.

    Option Description

    <Blank>

    Specifies that the permission type is not granted for the object.

    Yes

    Specifies that the permission type is granted with direct access to the object.

    Indirect

    Specifies that the permission type is granted with indirect access to the object.

    Having indirect permission to a table means that you cannot open the table and read from it, but you can view the data in the table through another object, such as a page, that you have direct permission to access.

    For more information, see the “Example – Indirect Permission” section in this topic.

  8. In the Security Filter field, enter a filter that you want to apply to the permissions that you have assigned to the object. For more information, see Record-Level Security.

  9. Repeat steps 2 through 8 to add permissions for additional objects to the permission set.

To record permissions

  1. In the Search box, enter Permission Sets, and then choose the related link.

  2. On the home tab, choose New.

  3. Specify a name for the new permission set in the Permission Set field and a brief description in the Name field.

  4. On the Home tab, in the Process group, choose Permissions.

  5. In the Permissions window, on the Actions tab, choose Start.

    This starts a recording process that is based on the code coverage functionality in Microsoft Dynamics NAV. You can now access the various windows and activities in the Microsoft Dynamics NAV Windows client or the Microsoft Dynamics NAV Web client that you want users with this permission set to access. You must carry out the tasks that you want to record permissions for.

  6. When you want to finish the recording, return to the Permissions window, and then, on the Actions tab, choose Stop.

  7. Choose Yes to add the recorded permissions to the new permission set, or choose No to cancel.

  8. If you choose Yes, the objects that you accessed are added to the window. In Microsoft Dynamics NAV 2016, only the objects are recorded, so you must specify if users must be able to insert, modify, or delete records in the recorded tables.

    For more information, see the previous procedure.

Example – Indirect Permission

You can assign an indirect permission to use an object only through another object.

For example, a user can have permission to run codeunit 80, Sales-Post. The Sales-Post codeunit performs many tasks, including modifying table 39, Purchase Line. When the user runs the Sales-Post codeunit, Microsoft Dynamics NAV checks whether the user has permission to modify the Purchase Line table.

  • If not, then the codeunit cannot complete its tasks, and the user receives an error message.

  • If so, the codeunit runs successfully.

However, the user does not need to have full access to the Purchase Line table to run the codeunit. If the user has indirect permission for the Purchase Line table, then the Sales-Post codeunit runs successfully.

When a user has indirect permission, that user can only modify the Purchase Line table by running the Sales-Post codeunit or another object that has permission to modify the Purchase Line table. The user can only modify the Purchase Line table when doing so from supported application areas. The user cannot run the feature inadvertently or maliciously by other methods.

See Also

Tasks

How to: Try Out the UI Elements Removal Feature Based on Demonstration Permission Sets
How to: Specify When UI Elements Are Removed
How to: Remove UI Elements Using the AccessByPermission Property

Concepts

Special Permission Sets
About Permissions
Object-Level Security
Removing Elements from the User Interface According to Permissions

Other Resources

How to: Import the BASIC Permission Set
User Groups
Customize the User Interface