Enterprise resource planning systems sit at the core of most mid-sized and large organisations today. They process invoices, manage inventory, handle payroll, and store sensitive customer data. Yet the way users gain access to these systems remains one of the most underestimated security risks in corporate IT.
The problem is rarely about external threats. Most ERP security incidents trace back to excessive or misconfigured user permissions granted internally. Any IT manager who assumes the default role structure in their Dynamics environment is sufficient should reconsider that assumption, especially as compliance frameworks tighten across the EU.
Specialist vendors have emerged to address exactly this gap. One notable example is 2-controlware.com, a Dutch software company based in Breda that has spent over 17 years building authorisation tools specifically for Microsoft Dynamics environments. Their focus on role design, conflict detection and continuous monitoring reflects a broader industry shift towards treating internal access control as a discipline in its own right rather than an afterthought during annual audits.
The Hidden Risk Inside Business Central Deployments
Microsoft Dynamics 365 Business Central has become one of the most popular ERP platforms for mid-market companies across Europe. Its cloud-first architecture and tight integration with the Microsoft 365 ecosystem make it attractive. However, the platform’s flexibility also means that authorisation structures can become complex and difficult to audit within months of going live.
A common scenario involves organisations migrating from older NAV versions to Business Central without fully redesigning their permission sets. Legacy roles get carried over, new ones get layered on top, and within a year the authorisation matrix resembles a patchwork that nobody fully understands. When an auditor asks who can approve purchase orders above a certain threshold, the answer is often uncomfortably vague.
Dedicated tools like the Authorization Box from 2-controlware.com tackle this by providing a structured method to design, manage and monitor roles within Business Central. Detecting conflicts in separation of duties before they become audit findings is particularly valuable for organisations subject to SOx or similar regulatory frameworks.
Separation of Duties and Why It Keeps Auditors Awake
Separation of duties, often abbreviated as SoD, is a foundational principle in internal controls. The idea is straightforward: no single person should be able to initiate, approve and record a financial transaction without oversight. In practice, enforcing SoD inside an ERP system is anything but simple.
Business Central assigns permissions through permission sets and user groups, but it does not natively flag when a user’s combined permissions create a conflict. An accounts payable clerk who can also create vendors, for instance, has the theoretical ability to set up a fictitious supplier and route payments to it. These scenarios are not hypothetical. The Association of Certified Fraud Examiners reported in its 2024 global study that billing schemes remain among the most common forms of occupational fraud, with a median loss of $100,000 per case.
Automated conflict detection changes the dynamic. Rather than relying on spreadsheets and manual reviews every quarter, organisations can run continuous checks against a predefined SoD ruleset. When a new user is assigned a role that creates a conflict, the system flags it immediately, reducing the window of exposure from months to minutes.
Continuous Monitoring Replaces the Annual Checklist
The traditional approach to ERP security involves a periodic review, typically once or twice a year. An external auditor examines user access, identifies issues, and produces a report. The organisation then scrambles to remediate findings before the next cycle. By 2026, this pattern is increasingly seen as inadequate across industries from manufacturing to professional services.
Continuous monitoring flips this model entirely. Instead of point-in-time snapshots, it delivers a live view of who has access to what and whether any configurations have drifted from the approved baseline. Authorisation platforms built for Business Central can generate real-time alerts when permission changes occur and visualise the current state of access controls through centralised dashboards.
The shift from reactive to proactive access management is one of the more meaningful security improvements an IT team can make without overhauling infrastructure. It also dramatically reduces the time spent preparing for external audits, a process that in many organisations still consumes dozens of hours per cycle.
Field-Level Controls for Granular Compliance
Standard ERP permissions typically operate at the table or page level. A user either sees a page or they do not. In many business scenarios, that granularity falls short. Consider a payroll manager who needs employee records but should not see salary details of senior executives, or a sales representative who can update contact information but must not alter payment terms.
Field-level security solves these edge cases by restricting or granting access to individual data fields. Solutions from vendors like 2-controlware.com extend this further with conditional validation rules that enforce data quality at the point of entry. For organisations handling personal data across multiple departments, this kind of control is essential for meeting GDPR obligations in a verifiable way.
The practical benefit reaches beyond compliance alone. When users see only data relevant to their role, the risk of accidental modification drops and the interface becomes noticeably cleaner. A small configuration change at the field level can produce measurable improvements in both security posture and daily usability across an entire organisation.