Permission sets define what a user can read, create, modify, or delete within Business Central. Every user needs at least one permission set to do anything meaningful in the system. Without the right permissions, users will hit access errors or find that pages and actions are simply missing.
This guide explains how permission sets work, how to assign them, and how to create your own when the built-in sets don’t fit.
What Permission Sets Are
A permission set is a named collection of permissions across tables, pages, reports, and codeunits. For example, the D365 BASIC permission set grants access to the most commonly used pages, while D365 ACCOUNTANT adds journal posting and financial reporting access.
Business Central includes a large library of system permission sets. These cover most standard roles. You can also create custom permission sets for specific job functions or to restrict access to sensitive data.
Permissions can be assigned in two ways:
- Directly on the User Card, applies only to that individual user
- Through a Security Group, applies to all members of the group at once
Assign a Permission Set Directly to a User
- Search for Users using
Alt + Qand open the page. - Select the user you want to configure.
- On the User Card, go to the User Permission Sets section at the bottom.
- Select + New Line to add a row.
- In the Permission Set field, use the dropdown to find and select the appropriate permission set.
- Repeat for any additional sets you need to assign.
Changes take effect the next time the user opens Business Central. Active sessions are not immediately affected.
Check What a User Can Actually Do
The Effective Permissions page shows the combined result of all permission sets assigned to a user, including direct assignments and any inherited through security groups.
- On the User Card, select Effective Permissions from the action bar.
- Use the Table lookup to select a specific table, or browse the list.
- The columns show whether the user has Read, Insert, Modify, Delete, and Execute rights on each object.
This is the most reliable way to diagnose access issues. If a user reports they cannot open a page or post a document, check the effective permissions on the relevant table and page object.
Create a Custom Permission Set
When none of the built-in sets match your requirements, you can create one from scratch.
- Search for Permission Sets and open the page.
- Select New.
- Enter a Code (short identifier) and a Name (description).
- Open the new permission set by selecting it.
- On the Permissions subpage, add rows for each object type you want to include:
- Set the Object Type (Table, Page, Report, Codeunit, etc.)
- Set the Object ID or look up the object by name
- Set the permission level for each action: Read, Insert, Modify, Delete, Execute
Use Yes for permissions the role needs and Indirect for permissions that are only needed indirectly (for example, a page may write to a table in the background). Use blank to deny.
Copy an Existing Permission Set as a Starting Point
Starting from scratch is rarely the most efficient approach. If a built-in set is close to what you need, copy it and adjust.
- Search for Permission Sets and open the page.
- Select the permission set you want to base your new one on.
- Choose Copy Permission Set from the action bar.
- Enter a new Code and Name for the copy.
- Select OK.
The copy is fully editable. The original system permission set is not affected.
Note that system permission sets (those with Type: System) are read-only. Copying them is the only way to modify their permissions.
Direct Assignment vs. Security Groups
Assigning permission sets one user at a time works, but it becomes hard to manage across larger teams. Security groups let you manage permissions for a group of users at once.
| Method | Best for |
|---|---|
| Direct assignment | Individual users, exceptions, or one-off access |
| Security group | Teams, departments, or role-based access at scale |
When a user is a member of a security group, all permission sets assigned to that group are automatically applied to them. If the group’s permissions change, every member is updated without any manual steps.
For details on setting up security groups, see How to Configure Security Groups in Business Central.