This is rather a bugfix than a new idea but has to be solved asap!
Quoting from the MS Learn page:
If a permission is in a permission set that is included, and is also in a permission set that is excluded, the permission will be excluded.
That is plain wrong. I tested this a year ago and it was already wrong then, and I just tested again:
- set up a new user
- grant him the permission set "D365 CUSTOMER, EDIT"
- create a custom permission set that explicitly excludes creating and editing within the customer table (18)
- grant the user the new custom permission set IN ADDITION to "D365 CUSTOMER, EDIT"
Effective permissions show the user IS ALLOWED to create and edit entries in that table. Practical test shows the same result. It neither works with the option "reduce to indirect" nor with "exclude".
The only way to prevent the new user from creating and editing entries in the customer table is to
- create a custom permission set
- within that set, include the "D365 CUSTOMER, EDIT"
- still within that set, exclude the permission to create and edit entries in the customer table
- grant the user the new custom permission set INSTEAD of "D365 CUSTOMER, EDIT"
Maybe this is how it's supposed to work but then the MS learn page is wrong, which I already sent in as a feedback but seemingly was ignored.
Business Central Team (administrator)
Thank you for this suggestion! Currently this is not on our roadmap. We are tracking this idea and if it gathers more votes and comments we will consider it in the future. Best regards, Business Central Team