There are two things that developers in AL do not like to do. Reports – I know very few people who like it, and Permissions. Although in my case I should say I do not like only one thing since permissions I just HATE.
In the next two weeks, we plan to release a new extension on AppSource (stay tuned) and we need to do permissions – as always. I sat with one of our developers and we decided “let’s do it in a new way”.
What is the new way?
In version 18 (released April 2021) you can do permission in two ways – old and new. For those who try not to do permissions sets in AL so often, here is a small reminder: in the old way you needed to create an XML document where you did not see what the object name is or even type if you do not remember C/SIDE. And this XML document was very, very (and very very) long. In my case, it has (and I have more than one) over 4000 lines.
In a new way, the permissions are defined as objects similar to enums, profiles, and all others. So why it is so good?
First of all, when creating permission you can see what are objects are included and what permission right away.
Moreover, you can extend other permission sets. So, imagine a situation that you have a new extension and you do not want to create a new permission set for your users but only extend an existing one. You do not need to send users information to assign new permission – they will get it automatically.
You can obsolete also permission and see which one will be obsolete from the standard permission set.
Only that? Not at all!
When we created permission in a new way my colleague called me and said this is great, I can now group the permissions in one set – but what he did he just group them in one object. After few minutes we both realized that there is a much better way to do it and instead of one permission set now we have… more than twenty.
Don’t worry it does not mean that the user needs to have assigned all twenty permissions. It even does not mean the administrator sees those twenty permissions. He still will see only one. But for us who the same permission can be in two different roles is a great way to do the job only once.
To achieve so you need to know two parameters – the first one says if permission set can be assigned to users – Assignable. And the second that says which permission sets are included in the permission set – IncludedPermissionSets.
The result is that in Business Central there is only one permission set visible which contains all permissions from my multiple objects. This way you do not need to multiple the same permission if they are needed in multiple roles.
Few notes before the end
We have been a little struggle to get it working at first so here are few tips:
- The next object number is not assigned automatically (but this is a reported bug (https://github.com/microsoft/AL/issues/6577)
- If you do not see the permission set, make sure you have Assignable property assigned and set to true (I think the default value is false).
- There is the script that can help you change your old XML permission to a new object – https://github.com/microsoft/BCTech/tree/master/samples/PermissionSetConversion. However converting it using Business Central, Excel and Notepad took me around 15 minutes to do for most of our old permission sets. If you need to change a lot of permission sets then I encourage you to look at the script and do it automatically. But if you have one or two, I think faster you will get doing it manually using Excel.
This time it will be short. The developer who was working on it told me: I never want to go back to XML permissions. And I think this is the best conclusion ever.