Users, Profiles & Security
Business Central security is built on profiles, users, permission sets, and security groups. Learn how to control who sees what — from basic user setup to security filters and auditing.
How security works in Business Central
Security in Business Central works like a hotel.
Your profile is your room type (suite, standard, budget) — it determines what your room looks like when you walk in (your Role Centre). Your permissions are your key card — they control which doors you can open (which pages, tables, and actions you can access). A security group is like a VIP list — everyone on the list gets the same key card privileges.
Sam at Nordic Manufacturing doesn’t want the shop floor supervisors accessing financial journals. He gives them a profile with an operations Role Centre and permissions that only allow inventory and production pages.
User profiles
A profile defines which Role Centre a user sees when they log in. It’s the “job template” that determines the default experience.
| Profile | Role Centre | Typical User |
|---|---|---|
| Business Manager | Executive dashboard, KPIs, cash flow | CEO, CFO, general manager |
| Accountant | Chart of accounts, journals, bank recon | Finance team |
| Sales Order Processor | Sales orders, customers, shipments | Sales team |
| Purchasing Agent | Purchase orders, vendors, receipts | Procurement team |
| Warehouse Worker | Inventory picks, put-aways, movements | Warehouse staff |
Creating and managing profiles
- Open Profiles (Roles) page (Tell Me > “Profiles”)
- Select New to create a custom profile
- Assign a Role Centre Page ID — this determines the home page
- Set as Default Profile if it should apply to all new users
- Enable/disable Show in Role Explorer to control visibility
Key concept: Profiles control the experience (what you see). Permission sets control the access (what you can do). A user can have the Accountant profile but limited permissions that prevent posting journals.
Setting up users
Users in Business Central are linked to Microsoft Entra ID accounts. You don’t create identities in BC — you assign BC access to existing Entra users.
Steps Sam follows to add a new user at Nordic Manufacturing:
- Open Users page (Tell Me > “Users”)
- Select Update Users from Microsoft 365 (syncs Entra accounts)
- Find the user and assign:
- User Name — their Entra UPN (email address)
- Licence Type — automatically detected from M365 licence assignment
- Profile — which Role Centre they see
- Permission Sets — what they’re allowed to do
- Optionally set Authentication Email and Contact Email
Exam tip: User creation flow
The exam expects you to know:
- Users are synced from Microsoft Entra ID — not created directly in BC
- The licence must be assigned in the Microsoft 365 admin center FIRST
- The user must sign in at least once for their BC user record to be fully initialised
- You can also create users manually, but the recommended approach is the M365 sync
Permissions and permission sets
Permissions are the core of Business Central security. They control exactly what a user can read, insert, modify, or delete.
How permissions are structured
Permission Set (container)
├── Object Permission 1 (Table Data: Customer — Read, Insert)
├── Object Permission 2 (Table Data: Sales Header — Read, Insert, Modify)
├── Object Permission 3 (Page: Customer Card — Execute)
└── Object Permission 4 (Report: Customer List — Execute)Each permission specifies:
- Object Type — Table Data, Table, Page, Report, Codeunit, System, Query
- Object ID — which specific object
- Access — Read, Insert, Modify, Delete, Execute (RIMDE)
System vs user-created permission sets
| Type | Who Creates | Can Be Edited | Examples |
|---|---|---|---|
| System | Microsoft (shipped with BC) | No — but can be copied | D365 BUS FULL ACCESS, D365 READ, D365 TEAM MEMBER |
| User-created | Your admin (Sam) | Yes | NORDIC-AP-CLERK, NORDIC-SALES-FULL |
| Extension | App/extension publisher | No — but can be copied | Permission sets from installed apps |
Best practice: Copy, don't edit system permission sets
System permission sets get updated with every Business Central release. If you edit them directly, your changes may be overwritten.
Sam’s approach:
- Copy the system permission set that’s closest to what you need
- Rename with a company prefix (e.g., NORDIC-AP-CLERK)
- Adjust permissions as needed
- Assign the custom set instead of the system one
Security groups
Security groups simplify permission management by grouping users who need the same access. Instead of assigning 5 permission sets to each of 20 users individually, Sam creates a group.
| Without Security Groups | With Security Groups |
|---|---|
| Assign permissions to User A | Create “Finance Team” group |
| Assign same permissions to User B | Add permission sets to the group |
| Assign same permissions to User C… | Add users A, B, C to the group |
| Change = update every user | Change = update the group once |
Security groups can be synced from Microsoft Entra ID security groups or created natively in Business Central.
Exam tip: Security groups vs Entra groups
Business Central supports two types of security groups:
- Entra ID security groups — managed in Entra, synced to BC. Changes in Entra propagate automatically.
- BC-native security groups — created and managed entirely within Business Central.
The exam may ask which approach is better for organisations already using Entra for identity management. Answer: Entra ID security groups — single source of truth, automatic sync, consistent with M365 governance.
Security filters
Security filters restrict access to specific records within a table. While permissions control which tables you can access, security filters control which rows you can see.
Example: Olivia wants Marcus (her AP clerk) to see only vendors assigned to the “DOMESTIC” dimension value. She applies a security filter:
- Permission set: Read access on Vendor table
- Security filter on Vendor table:
Department Code = DOMESTIC
Now Marcus can only see domestic vendors. International vendors are invisible to him.
When to use security filters
| Use Case | Filter On |
|---|---|
| Department-specific access | Dimension values |
| Location-based access | Location code |
| Salesperson-specific customer lists | Salesperson code |
| Company-branch restrictions | Responsibility centre |
Security filter limitations
Security filters have important limitations:
- They apply to direct table access only — some reports and pages may bypass them
- They can impact performance if applied too broadly (filtering on large tables)
- They work at the permission set level — so different permission sets can have different filters
- They don’t replace row-level security in the database — they’re an application-level control
Security auditing
Business Central includes a Change Log that tracks modifications to data. Sam enables it to maintain an audit trail.
Setting up the Change Log
- Open Change Log Setup (Tell Me > “Change Log Setup”)
- Enable the change log
- Select which tables to track:
- All Fields — track every change to every field (heavy, use sparingly)
- Some Fields — track specific fields only (recommended)
- Choose what to log: Insertion, Modification, Deletion
What the Change Log captures
| Logged Information | Example |
|---|---|
| Who made the change | User ID |
| When the change was made | Date and time |
| What changed | Table name, field name, old value, new value |
| What type of change | Insert, Modify, Delete |
Sam enables auditing on sensitive tables: GL Entries, User Setup, Permission Sets, and Customer/Vendor master data. He doesn’t audit everything — that would fill the database and slow performance.
Knowledge check
Sam needs to give 15 warehouse workers at Nordic Manufacturing the same set of permissions: read/write access to inventory, locations, and item journals, but no access to financial data. What's the most efficient approach?
The CFO at Coastal Traders wants to know who changed a vendor's bank account details last week. Where does Sam look?
🎬 Video coming soon
Next up: Users are set up and secured. Now let’s configure the essential settings every company needs — company information, number series, reports, email, and job queues.