Enterprise resource planning systems sit at the core of financial operations, yet the way organisations manage who can do what inside these platforms remains surprisingly fragile. A report by Gartner estimated that over 50% of ERP security incidents stem from excessive or misconfigured user permissions. Three years on, the problem has not gone away.
The shift to cloud-based ERP environments, particularly Microsoft Dynamics 365 Business Central, has introduced new layers of complexity. Organisations that once managed authorisation through a handful of on-premise roles now deal with hundreds of permission sets across multiple entities. For compliance officers and IT managers, this is no longer a background concern.
Specialist providers have emerged to address exactly this gap. The 2-Controlware solutions for instance, focus exclusively on authorisation management within Business Central. Their approach reflects a broader industry trend: generic security tools are giving way to purpose-built platforms that understand the specific permission structures of individual ERP systems.
The Real Cost of Misconfigured Access Rights
When a warehouse employee can approve their own purchase orders, or a finance clerk can modify vendor bank details without oversight, the risk is not theoretical. These are the exact scenarios that lead to fraud, data leaks, and audit failures. In regulated industries, a single misconfigured role can trigger non-compliance with SOx or GDPR requirements.
The challenge is scale. A mid-sized organisation running Business Central might have 200 users spread across five legal entities, each with distinct permission needs. Manually tracking who has access to what becomes nearly impossible beyond a certain threshold. According to a 2024 survey by the Institute of Internal Auditors, 61% of internal audit teams reported that ERP access reviews took longer than planned due to unclear permission structures.
Automated tools that map permissions to organisational roles help reduce this burden considerably. Products like Authorization Box, developed by the Breda-based firm 2-Controlware, allow administrators to design role-based access frameworks and detect conflicts before they become audit findings. The distinction between reactive access reviews and proactive role design is what separates organisations that scramble during audits from those that pass them without disruption.
Segregation of Duties Under Regulatory Pressure
Segregation of duties, often abbreviated as SoD, is one of the oldest principles in financial control. The idea is straightforward: no single person should control all steps in a critical process. In practice, enforcing SoD inside an ERP system is anything but simple.
Business Central ships with a flexible permission model, but it does not natively flag SoD conflicts. That means an organisation could unknowingly grant a user the ability to both create and approve journal entries. The Public Company Accounting Oversight Board flagged internal control deficiencies related to IT access in 34% of its 2024 inspection findings, underscoring how widespread the issue remains.
Field-level security adds another dimension entirely. Controlling access at the page or table level is often too coarse for organisations handling sensitive financial data. Some companies need to restrict specific fields, such as cost prices or employee salary figures, to particular user groups, and without granular field-level controls, even carefully designed role structures can leave critical data exposed to the wrong eyes.
Continuous Monitoring Changes the Compliance Conversation
Traditional authorisation reviews happen quarterly or annually. An auditor pulls a list of user permissions, compares it against a control matrix, and flags discrepancies. This approach worked when ERP environments were static, but cloud platforms change constantly as new users are added, roles are copied, and temporary access quietly becomes permanent.
Continuous monitoring flips this model on its head. Instead of periodic snapshots, monitoring tools track permission changes in real time and alert administrators when a conflict arises. The 2-Controlware platform, for example, includes a Central Management module that provides ongoing visibility across multiple Business Central environments from a single dashboard.
The financial technology sector, where regulatory scrutiny from bodies like the European Banking Authority is particularly intense, stands to benefit most from this shift. Fintech companies operating under MiFID II requirements cannot afford to treat access management as an afterthought. In the Netherlands alone, the Dutch Authority for the Financial Markets issued 12 formal warnings related to IT governance shortcomings in 2025, several of which cited inadequate access controls in core financial systems.
Where ERP Access Management Is Heading
The direction is becoming difficult to ignore. ERP authorisation is moving from manual, spreadsheet-driven processes toward automated, policy-based frameworks. Microsoft itself has expanded the permission set architecture in Business Central over the past two years, but the native tooling still lacks conflict detection and SoD enforcement out of the box.
Third-party authorisation solutions that integrate tightly with Business Central’s permission model are filling this gap with increasing sophistication. The market for specialised authorisation software remains niche, but it is growing steadily as more organisations recognise that access management sits at the intersection of IT, finance, and legal compliance.
For any organisation running Dynamics 365 Business Central with more than a handful of users, the gap between default security settings and what auditors actually expect continues to widen. Closing it requires tooling that goes beyond what the platform provides natively, and a recognition that role design is a discipline in its own right, not a task to delegate to whoever happens to manage user accounts.
