In this video, I talk about the impact of the Extensible property on pages. How it potentially can create a “vendor lock-in” situation for customers and hinder generic extensions in working.
In this video, Erik shares his strong opinion on a controversial topic in the AL development community: the misuse of the Extensible = false property on pages in Business Central. While the property has legitimate security purposes, Erik argues that some partners are abusing it to lock down all their pages by default — a practice he considers harmful to the entire Business Central ecosystem.
What Is Extensible = false?
In AL, every page object can have a property called Extensible. When set to false, it prevents anyone from creating a page extension that targets that page. In other words, the page is completely locked out from modification through the standard extension model.
page 7202 "CDS Admin Credentials"
{
Extensible = false;
// ...
}This means no other app — whether from AppSource or a custom development project — can extend this page with a page extension object.
The Legitimate Use Case
Microsoft introduced this property for a very good reason: to protect sensitive information. Erik walks through an example from the base application where the CDS Admin Credentials page is marked as Extensible = false. This makes perfect sense — you don’t want a random app installed from AppSource to be able to extend that page and potentially scoop out admin user IDs and passwords.
Other examples of pages that should reasonably be locked down include:
- Password entry pages
- Credential management pages
- Sensitive user administration pages
Erik notes that Microsoft isn’t entirely consistent with this — some credential-related pages like the Office Admin Credentials page are not marked as Extensible = false, which is likely something Microsoft will need to address. Additionally, the entire System Application currently ships with everything set to Extensible = false, which Erik also considers problematic.
The Problem: Partners Locking Down Everything
The real issue Erik wants to address is a disturbing trend among certain development partners. Some are setting Extensible = false on all of their pages by default — not for security reasons, but as a misguided way to protect their intellectual property and prevent others from modifying their work.
Erik considers this practice harmful for several reasons:
- It goes against the Business Central model. The platform thrives on extensibility — different partners and developers building on top of each other’s work.
- It locks customers into a single vendor. This echoes a problem the community dealt with roughly a decade ago, where customers were entirely dependent on one partner for any changes.
- It prevents legitimate third-party functionality. Erik uses his own company’s product as an example: eFocus’s Advanced Cloud Security app provides field-based and database-level security by dynamically generating page extensions. When a partner marks their pages as
Extensible = false, security cannot be applied to those pages — even though there’s no valid security reason for the lockdown. - It blocks users and other developers from making reasonable modifications — adding fields, rearranging layouts, changing properties, or applying personalization through design mode.
How Page Extensions Work in Practice
To illustrate the power of extensibility, here’s an example of a page extension that extends the Customer Card — something that would be impossible if the Customer Card were locked with Extensible = false:
pageextension 50100 CustomerListExt extends "Customer Card"
{
actions
{
addfirst(processing)
{
action(Test)
{
ApplicationArea = All;
Caption = 'Test';
Image = Test;
Promoted = true;
PromotedCategory = Process;
PromotedIsBig = true;
ToolTip = 'Test';
trigger OnAction()
var
e: ErrorInfo;
Helpful: Codeunit Helpful;
begin
e.Message := 'Not that fancy';
e.PageNo := 21;
e.FieldNo := Rec.FieldNo(Address);
e.RecordId := Rec.RecordId;
e.AddNavigationAction('Go North');
e.AddAction('Go South', 50100, 'Behelpful');
Helpful.SetContext(Rec.SystemId);
error(e);
end;
}
}
}
}This extension adds a custom action to the Customer Card. The supporting codeunit stores context and provides a callback:
codeunit 50100 "Helpful"
{
SingleInstance = true;
procedure Behelpful(e: ErrorInfo)
var
C: Record Customer;
begin
C.GetBySystemId(RememberedSystemId);
message('Wasn''t that helpful? %1', C.Name);
end;
procedure SetContext(g: Guid)
begin
RememberedSystemId := g;
end;
var
RememberedSystemId: Guid;
}This kind of extension-based development is fundamental to how the Business Central ecosystem operates. Locking pages down unnecessarily breaks this entire paradigm.
The Right Way to Protect Your Work
Erik acknowledges that partners may want to protect their intellectual property, but argues there are better ways to do it without crippling extensibility. The resourceExposurePolicy in the app manifest gives developers control over what’s visible without preventing extensions:
"resourceExposurePolicy": {
"allowDebugging": true,
"allowDownloadingSource": true,
"includeSourceInSymbolFile": true
}By setting properties like allowDownloadingSource to false, you can hide your source code while still allowing others to extend your pages. This means:
- Your code remains protected — others can’t see the implementation
- Security apps can still apply field-level security to your pages
- Users can still personalize and use the design mode
- Other developers can add fields or actions when needed
Two Clear Messages
To Customers
If you are a consumer of code written by different partners, make sure your partner is not locking down all their pages with Extensible = false. If you have access to the source code, check for this property. If you find it set everywhere, have a conversation with your partner about it.
To Partners
If you’re doing this, Erik strongly encourages you to stop. Find other ways to protect your work that don’t compromise the extensibility model. Only use Extensible = false when you genuinely need to protect sensitive data — passwords, credentials, and similar information that should never be accessible to other apps.
Conclusion
The Extensible = false property exists for a reason, and that reason is protecting sensitive data. Using it as a blanket policy on all pages is an anti-pattern that harms customers, blocks legitimate third-party functionality, and undermines the very foundation of how Business Central’s app ecosystem is designed to work. The community should push back against this practice and ensure that extensibility remains the norm, not the exception.
