Most organisations running enterprise resource planning software have invested heavily in implementation, customisation, and user training. Far fewer have given the same level of thought to who can actually do what inside the system. That gap between deployment effort and access control maturity is where real risk tends to hide.
Microsoft Dynamics 365 Business Central, one of the most widely adopted ERP platforms for mid-sized companies, is a good example. Thousands of organisations across Europe and North America rely on it daily for financials, supply chain and operations. Yet the native permission model can quickly become tangled as companies grow, add modules, or onboard new staff.
The Dutch software firm 2-Controlware, based in Breda, has spent over 17 years building dedicated authorisation management tooling for this exact platform. Their site offers more information on how granular access control works in practice, including a free white paper on the subject. It is a niche that sounds dry until you realise the consequences of getting it wrong.
Table of Contents
The Real Cost of Misconfigured Permissions
When a warehouse clerk can approve purchase orders, or a junior accountant can modify vendor bank details without a second pair of eyes, the problem is not malice. It is configuration drift. Permissions get copied from one user to the next, exceptions become permanent, and before long nobody has a clear picture of who holds which rights.
Segregation of duties, often shortened to SoD, exists to prevent exactly this kind of overlap. The principle is straightforward: no single person should control two steps of a sensitive process. In practice, enforcing SoD inside an ERP system with hundreds of permission sets is anything but straightforward, especially when the organisation lacks automated conflict detection.
Fraud aside, auditors increasingly flag weak access controls during annual reviews. Organisations subject to SOX requirements, GDPR obligations or sector-specific regulations can face material findings if they cannot demonstrate that their ERP permissions match documented policies.
Cloud Migration Makes the Problem Harder to Ignore
The shift from on-premises NAV installations to cloud-based Business Central has accelerated noticeably since Microsoft announced the end of mainstream support for older Dynamics NAV versions. Cloud brings automatic updates, better scalability and lower infrastructure costs. It also means permission structures need to keep pace with platform changes that arrive every few months rather than every few years.
Each Business Central release wave can introduce new objects, pages or API endpoints. Without a structured approach, organisations either grant too many rights to avoid disruption or scramble to patch permissions after an update breaks a workflow. Neither option is ideal. Tools that map authorisation design to organisational roles, rather than to individual permission sets, help reduce this maintenance burden considerably.
Solutions like the Authorization Box from 2-Controlware take this role-based approach and add continuous monitoring on top. The idea is that access control is not a one-time setup project but an ongoing discipline, much like cybersecurity patching.
What a Mature Authorisation Setup Looks Like
A well-designed authorisation management framework starts with a clear definition of organisational roles. Not job titles, but functional responsibilities mapped to the specific transactions each role needs. From there, permissions are assigned to roles rather than individuals, which makes onboarding, offboarding and internal transfers far less error-prone.
Conflict detection adds a second layer. The system flags a proposed permission change that would create a SoD violation before the change goes live. This is fundamentally different from discovering the conflict months later during an audit. For companies that need more information on how field-level security and validation rules further tighten control, the combination of these layers is where real compliance confidence begins.
Continuous monitoring forms the third pillar. Even with a clean initial setup, drift will occur. People change roles, temporary access gets extended, and new modules go live. A monitoring dashboard that tracks deviations from the approved baseline gives IT managers and compliance officers a shared source of truth. It replaces spreadsheet-based reviews that tend to be outdated by the time they are completed.
A Discipline, Not a Feature
Authorisation management sits at the intersection of IT governance, compliance and day-to-day operations. It touches finance teams worried about fraud risk, IT departments managing user lifecycles, and auditors requiring demonstrable controls. Treating it as a checkbox during implementation almost guarantees problems later.
The organisations that handle this well tend to share a few traits. They assign clear ownership of the permission model, they review access quarterly rather than annually, and they use tooling purpose-built for their ERP platform rather than generic identity management suites. For the growing number of companies running Business Central, that specificity matters more than ever as the platform itself evolves at cloud speed.











