Get started with entitlements and permissions
Business Central uses two main concepts for defining access to functionality:
Entitlements
Permissions
Entitlements describe which objects in Business Central that a customer is entitled to use according to the license that they purchased from Microsoft or according to the Microsoft Entra ID role that they've assigned in Microsoft 365 admin center, such as Global Administrator. Entitlements are only used in the online version of Business Central.
Permissions describe which objects that an administrator or a partner has given the user. Permission sets allow the combination of object permissions into logical groups (or sets), which can then be assigned to the users explicitly or through the User Group.
Permission sets scope
A Business Central solution contains many predefined permission sets that are added by Microsoft or by your software provider (by an ISV application that you installed from AppSource).
Permission sets that are included with Microsoft and apps from AppSource that are defined as AL objects are of the type System. Users can't create or edit these types of permission sets or the permissions within them. However, they can copy these permission sets to define their own permission sets and permissions. Permission sets that users create, from new or as copies, are of the type User-Defined, and they can be edited.
Create entitlements and permission sets in AL
When you are developing an app, entitlements and permission sets are handled as objects in AL, and you can extend existing permission sets in AL.
Use the following object types for handling entitlements and permissions:
EntitlementObject
PermissionSet
PermissionSetExtension
Versions of Business Central
In releases of Business Central prior to 2021 release wave 1 (v18.0), System and Extension permissions and entitlements were defined as data in the application database. They were stored in the following tables.
Entitlements tables:
Entitlement
Entitlement Set
Membership Entitlement
Permissions tables:
Permission Set
Permission
Keeping such sensitive information as data comes with more maintenance, security, and audit risks for the software providers (ISVs). Ideally, changes that are applied to this data should be traceable and simple to update and maintain. Now, the System permissions and entitlements are defined in code by using Entitlement, PermissionSet, and PermissionSetExtension AL objects. This change provides ISVs with the advantages of using the AL Language extension in Visual Studio Code and source control systems (such as Visual Studio Codespaces and GitHub) to design, get an overview of, and track changes to the objects that describe user access.
Turning this data into code has another significant advantage. One advantage is the ability to apply hotfixes to the entitlements and permissions in the same way that the hotfixes are applied to the apps by updating an app to a new version that carries fixed code. This approach considerably improves Business Central support agility and ultimately improves customer satisfaction with the service.
The new AL objects will become the core building blocks in the story of monetizing the apps from AppSource. With these new AL objects, AppSource ISVs can define which capabilities of their apps should be made available to their users when the customers purchase their app licenses. Business Central helps make this process easier by moving the entitlements and permission sets into AL objects for Microsoft apps. As a result, ISVs can follow the same approach for their apps when the monetization story is introduced.
User-Defined permission sets and permissions, and the functionality around them, remain unchanged from earlier versions and they're still stored as data in the tenant database:
Tenant Permission
Tenant Permission Set
Permission sets and permissions that are included with apps in XML format will continue to work as before. However, we recommend that you to start using the AL objects of type PermissionSet and PermissionSetExtension instead.