With the refactoring done in Dynamics 365 Business Central for better supporting the SaaS environment, is not quite easy to check if a user has a specific permission on a specific object.
Permission Range table is now a system table that cannot be used on a SaaS environment, License Permission table does not give you specific user permissions and using the ReadPermission and WritePermission methods (that can determine if a user has read and write permission on the object) is only available for table objects and often this is not enough if you have complex security checks to implement (for example if you want to test if your user has execute permissions on a specific codeunit).
To achieve that goal, you can now use the Effective Permissions Mgt. codeunit, that now has a method called PopulatePermissionRecordWithEffectivePermissionsForObject that permits you to populate a Permission record for a specific object and a specific user. This method has the following signature:
procedure PopulatePermissionRecordWithEffectivePermissionsForObject (var Permission: Record Permission, PassedUserID: Guid, PassedCompanyName: Text, PassedObjectType: Option, PassedObjectId: Integer)
To show how to use this method, here I’ve created a procedure that receives as input the object to check for permissions and then it retrieves the permissions for the specific user on this object. The code is as follows:
As you can see, the PopulatePermissionRecordWithEffectivePermissionsForObject receives the required parameters and populates the temporary Permission record that I’m passing. You can then check the newly created permission record as you need (here for example I’m checking for the Execute permission and if the user has no execute permission on the given object I can act as consequence.
To call the CheckUserPermission procedure above for a specific object (for example the 80 – Sales Post codeunit), you can just do the following:
That’s quite hidden I know… but now there’s a quick solution 🙂
Hi Stefano, I just stumbled across your post – great one! Thanks for this! Please, allow me an additional note. I used this code to test permissions with a team member license. Unfortunately, the codeunit only checks the permissions in the effective permission, and neglects license restrictions. Maybe this helps somebody sometime…
LikeLiked by 1 person
Thanks for the comment.
Hi Stefano… great blob and great post. I’m using this method in a new extension but the table “Permission” is marked as obsolete and the reason is “Internal table which will be moved to the OnPrem scope in next major release”.
The function “PopulatePermissionRecordWithEffectivePermissionsForObject” remains the same and there is no equivalent function without “Permission” table as a parameter. Do you know another way to achieve this? I think we have a month to change this code, for version 21.
There’s a table called “Expanded Permission” that should replace the Permission table in the future.
Do you thing Microsoft will add an equivalent function but using this “Expanded Permission” table instead of “Permission” table?
The problem is not the table itself, it’s that a function uses a table that will be declared as “OnPrem” in the next version and we need a cloud usable function to get permissions for an object.
Actually there is an opened issue on this inside MS. I think something will be done but no more news on that at the moment.