Override entitlements with inherent permissions
Before 2022 release wave 2, the inherent permissions feature only allowed for extending role permissions (coming from user-assigned permission sets). So, if a developer gives fewer permissions than the license and entitlements, the change doesn't affect the user. If the developer gives more permissions than the license and entitlements, nothing above what is granted by the license and entitlements is considered. The permissions are limited to what the entitlements allow.
With the current inherent permissions attribute, it isn't possible to go above and beyond entitlements, regardless of what permissions the developer provides through AL code.
In the 2022 release wave 2, we added the ability to override entitlements with inherent permissions.
With inherent permissions, developers can now grant permissions to a method or event while code executes. As soon as the code execution is completed, permissions are revoked. Inherent permissions simplify the overall management and maintenance work of permission sets. With it, a specific AL method or event can get the elevated permissions necessary to finish the task at hand without getting permission errors. This feature helps tighten overall security by limiting long-term user permissions and giving permissions to the code process instead.
Note
You can use inherent permissions only for objects within the same extension.
For example, a salesperson wants to make a report that includes certain critical pieces of information. In the background, a method will run a query to fetch the information from the table holding classified data. With inherent permissions, instead of managing permissions for that salesperson, a developer can add the permission permanently into the specific code path. This method will be granted permissions for the given object, which in this case is a table. Now, whenever an authorized person runs this method, the needed permissions are in place to complete the request.
It's better to use the inherent permissions for small dedicated procedures or system tasks that don't risk data exposure to users.
Let's look at a code example for the InherentPermissions attribute:
al-languageCopy
[InherentPermissions(PermissionObjectType::Table, Database::Customer, 'r', InherentPermissionsScope::Both)]
Procedure GetCustomersLocation(): CustomerLocation
Referring to the example explained above, let's say the report needs to show which location has more sales for the quarter. As it's not ideal to grant access to all data belonging to customers, read permission is granted to the method instead. It will only fetch the customer's location and leave other details (such as name, address, and so on) private.
The inherent permissions and inherent entitlements together, grant more flexibility to developers so that they can assign permissions to their methods, events, and objects. Developers can define inherent entitlements for their objects like codeunit, table, page, and so on. In this way, the developers can equip all users to have enough access that they can carry out essential tasks without any halt, and regardless of what access their present license or entitlement grant them.