Minimum permission required to sign in to D365BC

In this article, I will explain how to identify the minimum permissions required to sign in to BC.

Last week, I found an interesting question posted on the forum below:

Unsolvable Basic Permission Question – Any method to solve it? – Dynamics 365 Business Central Forum Community Forum
” I read many articles and methods and still I cannot figure this out. My question is simple what are required permissions to just login to BC. Regardless of role. This is basically for user to login to BC and cannot do anything. Just not receive the error that you do not have permission. The goal is to assign other permissions set to user depends on role and responsibility.  I cannot record such a permission set because I cannot log out and login during recording. “

So I did some research using a method that I have used in the past my project for permission research.

1. Replay the error

First, create a new permission set.

The contents are blank. Now press the “Start” button for recording.

This will start recording the permissions. (By the way, the “Start” buton for recording is now displayed in a clear location.)

In this case, I want to record the permissions for sign in, so I signed out from right corner. Then the recording will stop because the session itself that records the permissions here will no longer exist. In other words, the permissions for signing in cannot be recorded. This is what the forum questioner is saying.

2. How to identify permission object for sign in

Create a new user in preparation.

From the user list page, execute “Update users from Microsoft 365” to generate the newly registered users as BC users.

Open the user card. Some permission sets are assigned by default.

Unassign permission sets . Since the permission sets are assigned via user group, I simply unassigned the user group.

Assign the blank permission sets that I created at the beginning of previous section.

Sign in to Office365 with the newly created user.

Open new tab with URL below.
“Https://[tenant ID(or domainname of tenant)]/[Environment name」?Company=[company name]”
It’s easy to copy & past from administrators BC window.

When I pressed enter key, it tries to sign in, but I got the following error. It says the new user for testing don’t have Codeunit permissions.

Add the Codeunit ID in the error message to the permission set.

Copy and paste the Codeunit name text shown in the error message to search for the object.

An object has been added to the permission set. Once you move the focus to another row and then back to the original row of the added permission set, the addition will be committed.

Sign in again as a test user. It is quicker to press the F5 button on your browser.

Then I get the error again, but this time it says that this user don’t have permissions for another Codeunit.

Add the object as before.

When I tried to sign in again by pressing the F5 button on my browser as I did before, I got another error message.

Repeat this process to create a set of permission sets, as shown below.

As far as I can tell on 2/6/2022, the following objects need to be included in the permission set. (Table Data may only need Read permission…)

After adding all the objects above, you will see the following error at the end. This error does not say what objects are missing. The hint is that it is related to the “Business Manager Evaluation” role center.

Try switching to the “Business Manager Evaluation” role center.

The ID of the Roll Center page can be found by inspecting it with Ctrl+Alt+F1.” Business Manager Evaluation” is 9022. (This will vary from role center to role center).

In conclusion, simply add this Page’s ID to the permission set. I’ ll keep the permission sets separate. Create a new permission set.

Add Page permissions.

Assign additional permission sets to users.

Once again, go back to the test user’s browser and refresh it with F5. The following screen should then appear. It is really “just signed in” and nothing is displayed. Try pressing the left arrow button.

You will be taken to a page that looks like this. This is also “just signed in” and nothing is displayed.

3. Summary

The points are as follows.
– Sign-in permissions cannot be recorded in the permission record function.
– Making a blank permission and adding an object every time an error occurs.
– The page ID of the role center needs to be added to the permission set.

The second point is quite a steady task.
If you look at the required objects, you will see that you need permissions that are seemingly unrelated to sign-in, such as “CRM Connection Setup”. And this means that the permissions of the features that are added when BC is upgraded to a minor/major version will affect the Minimum permissions required for sign-in. Personally, I don’t think “CRM Connection Setup” has anything to do with sign-in, so I would like to see the logic for sign-in improved so that the Minimum permissions required for sign-in are not affected much.

Thanks you for reading.


メールアドレスが公開されることはありません。 * が付いている欄は必須項目です