TMCnet Feature Free eNews Subscription
July 07, 2026

Why ERP Authorization Gaps Remain One of the Most Underestimated Security Risks



When organizations invest in cybersecurity, the budget tends to flow toward firewalls, endpoint detection, and identity management. Internal application permissions, particularly within ERP systems like Microsoft (News - Alert) Dynamics 365 Business Central, rarely receive the same scrutiny. That mismatch creates a blind spot that both attackers and auditors notice quickly.

The issue is structural. ERP platforms house financial transactions, customer data, and supply chain operations in a single environment. A user who can both create a vendor and approve payments has a segregation of duties conflict that opens the door to fraud, whether intentional or accidental.

Dutch software company 2-controlware.com has spent over 17 years building authorization tooling specifically for Microsoft Dynamics environments. Their focus on conflict detection and continuous monitoring reflects a growing recognition that permission management is not a one-time setup task but an ongoing security discipline. The company, based in Breda, emerged from the IT audit firm 2-Control and has since become an independent entity.

Segregation of Duties Is Not Just an Audit Checkbox

Segregation of duties, often abbreviated as SoD, is a principle that predates digital systems entirely. It means no single person should control all steps of a critical process. In an ERP context, this translates to making sure the employee who enters invoices cannot also release payments.

Most organizations configure basic role structures during their initial ERP implementation. The problem surfaces months or years later, when role changes, temporary access grants, and workarounds accumulate into a tangled permission landscape. By the time an external auditor flags the issues, dozens of SoD conflicts may already exist.

Compliance frameworks such as SOx and GDPR explicitly or implicitly require organizations to demonstrate proper access controls. Failing an audit is costly, but the greater risk is that undetected conflicts enable fraudulent transactions that go unnoticed for extended periods. For companies with hundreds of ERP users across multiple departments, the probability of such conflicts is not theoretical.

Why Business Central Permissions Deserve Dedicated Attention

Microsoft Dynamics 365 Business Central serves tens of thousands of organizations worldwide, from mid-market manufacturers to professional services firms. Its permission system uses permission sets, user groups, and entitlements. That combination is flexible enough to accommodate complex organizations but also surprisingly easy to misconfigure.

A common scenario involves copying an existing user profile when onboarding a new employee. Over time, the copied profile may have accumulated permissions far beyond what the new role requires. Without a structured review process, this kind of privilege creep becomes the norm rather than the exception.

Products like Authorization Box (News - Alert) from 2-Controlware address this by allowing administrators to design role structures visually, detect conflicts before they become active, and monitor authorization changes continuously. Their Field Security module takes this further by restricting access at the individual data field level, not just at the page or table level. That granularity matters when an organization needs to prove to regulators exactly who can see or modify sensitive financial data.

Continuous Monitoring Changes the Security Posture

Traditional authorization reviews happen annually or quarterly, often driven by audit deadlines. That cadence leaves wide windows during which new conflicts can emerge undetected. A single role change in March might not surface until the external auditor visits in November.

For IT managers and compliance officers, shifting to continuous monitoring means moving from reactive remediation to proactive control. Instead of scrambling to fix findings before a deadline, teams can address issues as they arise. The team behind 2-controlware.com has built this monitoring capability directly into their product suite, reflecting the principle that authorization management is a living process rather than a periodic project.

Organizations subject to regulatory scrutiny in sectors like finance, healthcare, and government stand to benefit most. But any company running Business Central with more than a handful of users faces the same underlying challenge: permissions drift over time, and without active oversight, that drift creates measurable risk.

What a Mature Authorization Strategy Looks Like in Practice

A robust approach starts with mapping critical business processes and identifying which permission combinations create conflicts. This mapping should happen before configuring any tooling. Too many implementations skip this step and jump straight to technical setup, which inevitably leads to gaps that only surface during an audit.

Once conflicts are defined, user templates and organizational role structures provide a repeatable framework for onboarding and role changes. Every new user receives exactly the permissions their function requires, nothing more. Periodic recertification ensures that access rights still match actual job responsibilities, especially after internal transfers or reorganizations.

The practical outcome is transparency. When everyone from the CFO to the application administrator can see who has access to what and why, decision-making around access becomes faster and more defensible. For organizations running Business Central across multiple legal entities or international offices, that level of visibility is no lo

» More TMCnet Feature Articles
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles