How to limit who can install apps in my Business Central

Consultant recommended giving everyone super user access to sandbox while we’re practicing and one of my users uploaded stray coded app from someone on the internet. I want to lock that capability down now!

Hi Tim.

As a consultant myself I wouldn’t recommend super user access even in the sandbox for users. You should match your production environment security that way the users are only accessing things that they would after go-live.

User security is assigned within the User Card. Navigate to the Users list and select the user you’d like to update security for, and you can update the User Group Memberships and or the User Permission Sets.

There are many out of the box permission sets/groups already setup for specific roles.

Feel free to ask more questions if needed.

Kristen Hosman, Microsoft MVP


Thank you for such a timely response. I obviously need to skill up on all the many intricacies of BC’s security and permissions.


As Kristen replied, in the User Card, you should review all Permissions and delete the Super and replace with actual permission based on the User role. Make sure you do not give a User Extension Mgmt.

Security will take time to both learn and understand. Review Permissions and their Description will help narrow down what the permission does and you can assign to a User.

Hope this helps.

Thank you for taking the time to respond to my inquiry. I will definitely heed your advice.

Agree with Steve and Kristen. The good news (which you probably already know) is that the extension can be un-installed rather easily. This is a lot better then the good ole days of C/AL when removing customizations involved hunting down all the objects impacted by the customization and reverting them back to standard.