Current situation

Business Central 28 introduced the OnPreRendering report trigger, which exposes a JSON object that can be parsed to invoke an external PDF library for various PDF modifications - including password protection. While this is a welcome addition, the implementation is tightly coupled to the report rendering pipeline. It is only accessible during report generation and requires knowledge of the internal JSON structure used by the rendering engine.

The problem

Partners and customers frequently need to password-protect PDFs that originate outside of the standard report rendering pipeline - for example, PDFs imported from external systems, generated by third-party libraries, or assembled programmatically. Currently, there is no first-class, supported API to do this in AL without building custom integrations.

The idea

Introduce a standalone AL procedure (e.g., on a platform codeunit) that accepts a PDF as an InStream and one or more passwords, and returns the password-protected PDF as an OutStream. A signature along these lines:

procedure PasswordProtectPdf(PdfInStream: InStream; UserPassword: Text; OwnerPassword: Text; var PdfOutStream: OutStream)

Both UserPassword and OwnerPassword should be optional - allowing partners to set one or both depending on the use case. This approach reuses the existing PDF library already bundled with Business Central and exposes it in a pipeline-agnostic way.

Business value

Enables password protection for any PDF, not just those generated by the BC report engine

Reduces complexity and dependency on internal JSON structures in OnPreRendering

Unlocks consistent, secure document handling for ISVs and partners without requiring external dependencies

Aligns with the principle of composable, reusable platform APIs