With the refactoring done in Dynamics 365 Business Central for better supporting the SaaS environment, is not quite easy to check if a user has a specific permission on a specific object.
Permission Range table is now a system table that cannot be used on a SaaS environment, License Permission table does not give you specific user permissions and using the ReadPermission and WritePermission methods (that can determine if a user has read and write permission on the object) is only available for table objects and often this is not enough if you have complex security checks to implement (for example if you want to test if your user has execute permissions on a specific codeunit).
To achieve that goal, you can now use the Effective Permissions Mgt. codeunit, that now has a method called PopulatePermissionRecordWithEffectivePermissionsForObject that permits you to populate a Permission record for a specific object and a specific user. This method has the following signature:
procedure PopulatePermissionRecordWithEffectivePermissionsForObject (var Permission: Record Permission, PassedUserID: Guid, PassedCompanyName: Text[50], PassedObjectType: Option, PassedObjectId: Integer)
To show how to use this method, here I’ve created a procedure that receives as input the object to check for permissions and then it retrieves the permissions for the specific user on this object. The code is as follows:
As you can see, the PopulatePermissionRecordWithEffectivePermissionsForObject receives the required parameters and populates the temporary Permission record that I’m passing. You can then check the newly created permission record as you need (here for example I’m checking for the Execute permission and if the user has no execute permission on the given object I can act as consequence.
To call the CheckUserPermission procedure above for a specific object (for example the 80 – Sales Post codeunit), you can just do the following:
That’s quite hidden I know… but now there’s a quick solution 🙂
Stefano Demiliani 
Hi Stefano, I just stumbled across your post – great one! Thanks for this! Please, allow me an additional note. I used this code to test permissions with a team member license. Unfortunately, the codeunit only checks the permissions in the effective permission, and neglects license restrictions. Maybe this helps somebody sometime…
Best
Rob
LikeLiked by 1 person
Thanks for the comment.
LikeLike
Hi Stefano… great blob and great post. I’m using this method in a new extension but the table “Permission” is marked as obsolete and the reason is “Internal table which will be moved to the OnPrem scope in next major release”.
The function “PopulatePermissionRecordWithEffectivePermissionsForObject” remains the same and there is no equivalent function without “Permission” table as a parameter. Do you know another way to achieve this? I think we have a month to change this code, for version 21.
Best regards!!
LikeLike
There’s a table called “Expanded Permission” that should replace the Permission table in the future.
LikeLike
Thanks Stefano.
Do you thing Microsoft will add an equivalent function but using this “Expanded Permission” table instead of “Permission” table?
The problem is not the table itself, it’s that a function uses a table that will be declared as “OnPrem” in the next version and we need a cloud usable function to get permissions for an object.
LikeLike
Actually there is an opened issue on this inside MS. I think something will be done but no more news on that at the moment.
LikeLike
FYI
Microsoft has published a function that is equivalent to PopulatePermissionRecordWithEffectivePermissionsForObject in codeunit “Effective Permissions Mgt.” The new function resides in codeunit “User Permissions” and is called GetEffectivePermission()
LikeLike
Yes now you have this function. The post was written in 2020. Thanks for the update.
LikeLike