Security Filter in Business Central and its limitations

-

Greetings Readers,

Today I'll write about a very useful functionality of Business Central - Security Filter in Permission set.

Introduction:

In Business, many times we come across scenarios where user's rights are restricted to Enter, Access, Modify and Delete, all or some of the data in ERP. These requirements arise during implementation of Standard operating procedures and Delegation of Authority decided by Business and Management.

Business central provides Permission set, Profile, Security Group, User setting etc. features to make sure these requirements are taken care of during the implementation.

As all these options takes care of Objects and data that a user can access or profiles of the user there is a very important functionality of Security Filter which helps to restrict access to only certain records based on some predefined filter values.

Business Use Case:

If a business wants to restrict a user's access to customer data then Customer table rights can be restricted through Permission Sets. If user can access the Customer data but not its Balance values then Profiles can be used to Customize pages to not show "Balance" field.

However, if the user should be able to access Customers with a specific Customer posting group or Customers from specific Country then in that case Security Filter comes into the play which helps to restrict the user's access to the data based on these pre defined filter values.

Setup and How to Use:

Security Filter can be applied only to the Objects of type Table Data. Filters can be applied to any of the fields available in a particular table.

Let's take an example where we need to give access to the user for Customer data but only for the Customers who has Customer Posting group value as Domestic.

So to set this up you need to give permission of Customer table data as follows in the Permission set.



Now we need to apply Security Filter on Customer posting group field. For this click on lookup of Security Filter field and input following values.


Important to note that for filter value you can also use different operators like | (Pipe), .. (Range), <> (Not equals to) etc.
Now in addition to this you need to give all other permissions that is required to access the Customer list and card pages. Here I'll use Record Permissions option to add all other permissions in this Permission set.



Now let's assign this Permission set to the user and see the result. In below images, first image shows the Customer list with full permissions and second image shows Customers list with our newly created permissions applying the filter.






See the difference, restricted User can not access all the Customers not having Customer posting group value as Domestic.

Similarly, for all the table data in Business central this functionality can be utilized to restrict users to access only certain records based on filters.

Limitations:

Despite this functionality solves a very complex requirement related to user access it has many limitations which are explained further in the blog.

To begin with, assigning Permissions and setting up Security Filter is a very lengthy task. Also the UI is not developed in a way to make it easy for Admin to create these filter setups. Adding each and every table and assigning security on different fields, typing in filter values etc. is lot of manual work.

If a Master table data has been assigned a Security Filter the same does not apply on related tables where further data related to main master are shown. To make it easy to understand, if on Customer table data I have applied filter system does not auto apply the filter on Customer Ledger entry, Sales Orders, Invoices etc.
Surprised to know that ? Yes, Its written correctly. In below screenshot you can see what the restricted user can access in Sales Order screen. You can also see the orders for Customer no. 30000 and 40000 who does not have Customer posting group as Domestic as per our earlier example.


So does this mean we need to apply the filter of Customer Posting group in each table data where there is Customer table relation ? Yes, that is correct. And how many number of tables are there in Business central where I need to apply this filter ? For Customer master only there are 37 tables where Customer Posting group field is there.
And what if that table data does not have field for Customer Posting group, for e.g. Sales Price List where I have defined Customer specific Sales prices, user will be able to see the prices offered to Customers outside his access rights because the filter can not be applied based on Customer Posting group.
For these types of table the filter needs to be applied on Customer No. instead of Customer Posting group. But again you need to create a filter value to include all those Customer No. and when a new customer is created in Domestic posting group then you need to add the Customer no. in the filter value at all the table data where filter is applied. There are 147 tables which does not have Customer Posting group as field though not all the tables user will be accessing but just thinking about it makes me think it as significant manual work.

Here is the big one, when generating any reports which uses the data from Customer table will give you error if user does not apply the filter of Customer Posting group on report request page. Is this a joke ? No, Its correct, try it. Check the below screenshot where I tried running Customer List report.


Normal expectation will be that system should auto apply that filter right ? But no, it isn't working.

There is a drawback of Permission set that if you assign any other Permission set which has permission for the same table data with improved(more) access then it will overwrite the limited access permission. So it become crucial to make sure that table data permission set is created properly and no other permission set with the same or improved permission is assigned to the user. Also if for different user different filters needs to be applied then again different permission sets needs to be created as filter values will differ for each User.

So that was all about limitations of security filters.

Thank you !!

The End ? No !
Well the question still remains on what to do about all these limitations of Security Filter.
As such there is no solution for this in standard Business Central and we need to accept that. (If you have any solution do let me know)

However, I have created a Customized functionality which if not all but eliminates the majority of these limitations. We'll talk about the solution in my next blog.

Till then Happy Reading !!

Comments

Post a Comment

Popular posts from this blog

Multi-Environment Consolidation - New feature in Business Central

-
Image
Greetings, Readers, Recently I read about this new feature by Microsoft in Business Central which enables Consolidation between multiple environments. This is one big update by Microsoft. If you check the earlier version of Business Central, it requires you to export Database file from Subsidiary company and import it in the Consolidated company to run the consolidation. This was a time consuming and manual task that user needs to perform. Developers were customizing and automating this process through different methods. In recent update Microsoft came up with method of using APIs to transfer data from Subsidiary company to Consolidate company. It requires user to do some basic setup and grant permission through login to environment of the Subsidiary company and your whole process of exporting file and importing to run the consolidation is out of the picture. If you look at Business value this update saves a lot of time and money for the organizations using Consolidation functionality....
Read more

Configure Bank Statement Import through Data Exchange Definition Part 1

-
Image
Hello Readers, Greetings to you. Time for new blog and new learning! In this blog I am going to showcase you the process to configure Bank Statement Import functionality in Business Central through Data Exchange Definition. In Business Central when user is required to perform Bank Reconciliation process, user needs to enter bank statement lines manually. There is an option of "Suggest Lines", but it will just copy the Bank Account ledger entries on Bank Statement lines. If there is any difference in bank statement and Bank Account ledger entries, then user needs to manually enter, delete or change the amount as needed to post the reconciliation. Through Bank Statement Import setup you can import CSV file of bank statement that is provided by your bank directly into Business Central. This functionality is available in both Bank Account Reconciliation and Payment Reconciliation Journal pages. User can decide which of the two methods to use for posting reconciliation. Business C...
Read more