Security Filters in Business Central
Business Central Security’s security system allows you to control the objects that a user can access within each database or environment. For each user, you can specify whether you want to allow reading, editing or inserting data in the selected database objects.
You can specify which records are stored in the tables that each user is allowed to access. This means that permissions can be allocated at both the table level and the record level.
The security system contains information about the permissions that have been granted to each user who can access a particular database.
There are four different levels of security:
Business Central has two levels of permissions for database objects:
• Full licenses based on the license, also called rights.
• More detailed permissions assigned by Business Central.
In each of the fields of the five types of access
• Reading authorization
• Insert authorization
• Modify authorization
• Delete authorization
• Execution authorization
you can select one of the following three options:
|Yes||The user can perform the action for the object in question.|
|Indirect||The user can perform the action for the object in question but only through another related object to which the user has full access|
|Blank||The user cannot perform the action for the object in question.|
Security Filters (record level security)
For record-level security in Business Central, you use security filters to limit a user’s access to data in a table. You create security filters on table data. A security filter describes a set of records in a table that a user has permission to access. You can specify, for example, that a user can only read the records that contain information about a particular customer (or Salesperson for example).
This means that the user cannot access the records that contain information about other customers. This technology is also called Data Segmentation, as if a slice was made on the data based on the authorizations, similar technology is also used in other Microsoft software.
There are two parts to implementing security filters.
- Creating the security filters on the table is typically done by an application administrator.
- Defining how the application behaves when the filters are applied is done in application code by a developer.
You create security filter by using the Business Central Web Client. You set security filters on permission sets, which you assign to users.
Record level security filters do not support wildcard characters. This means that you cannot use * and ? in the filters. You can use other symbols, delimiters and, operators, such as, <, >, |, &, .., and =. If you do not enter an operator, then the default operator = is used.
Security filters support Unicode characters. The maximum length of a security filter is 200 characters, including all field names, delimiters, symbols, and operators that used in the filter.
When multiple permission sets that refer to the same table data are assigned to a user, they are combined so that the least restrictive filter is used. You should not repeat a table in multiple permission sets if you plan to combine those permissions sets for one user. You can resolve potential conflicts with security filters and specify the desired behaviour by setting the security-filtering mode on Record variables to determine how the security filters are applied.
Query objects and record objects, including both explicit record variables and implicit records on pages, reports, or XMLports, have a property named SecurityFiltering, which describes how security filters are applied.
The possible values of the “SecurityFiltering” property are:
Permissions > Security Filters
Salesperson Code Filter on Customer Table