Most organisations running Microsoft Dynamics 365 Business Central invest heavily in implementation, customisation and training. Yet one area consistently falls through the cracks: managing who can do what inside the system. Authorization management sounds straightforward on paper, but in practice it creates headaches ranging from minor inefficiencies to serious compliance violations that can derail an audit in a matter of hours.
The challenge is not a lack of awareness. IT managers know that poorly configured permissions create risk. The real problem is that many organisations still rely on manual processes, spreadsheets or default role configurations that were never designed for their specific workflows. By the time an auditor flags a segregation of duties conflict, the damage is already done.
Specialist vendors have emerged to address exactly this gap. 2-Controlware solutions, developed in Breda by a team with roots in IT auditing, focus exclusively on authorization design, monitoring and compliance within the Business Central ecosystem. That kind of deep specialisation matters when the alternative is patching together generic tools never built for Dynamics environments.
What Regulators Actually Expect in 2026
Compliance frameworks such as SOx, the AVG and sector-specific standards all require organisations to demonstrate that access to sensitive data is appropriately controlled. The European Commission’s Digital Operational Resilience Act, which took effect in January 2025, has added another layer for financial institutions. Proving that only the right people can approve payments or modify supplier records is no longer optional.
Auditors in 2026 are far more technical than they were a decade ago. They do not simply accept a screenshot of a permission set. They want evidence of ongoing monitoring, documented role design and a clear process for handling conflicts. The Dutch Authority for the Financial Markets (AFM) has repeatedly flagged IT access weaknesses as one of the most frequently cited control issues in its supervisory activities throughout 2025.
Where Default Configurations Fall Short
Business Central ships with standard permission sets that cover common roles. These work for initial setup and smaller organisations with limited complexity. Problems emerge as companies grow, add custom extensions or operate across multiple legal entities, because a permission set designed for a single-site retailer cannot account for the segregation of duties requirements at a mid-market manufacturer with subsidiaries in three countries.
Segregation of duties is where things get particularly tricky. The principle is simple: no single user should be able to both create a purchase order and approve the corresponding payment. Mapping every potential conflict across dozens of roles and hundreds of permissions is enormously time-consuming without dedicated tooling, and many IT teams discover conflicts only during an audit, which is exactly the wrong moment.
Dedicated authorization software can automate conflict detection and flag issues before they become findings. Tools from vendors such as 2-Controlware offer continuous monitoring, user templates and field-level security that restricts access down to individual data fields and actions. That granularity goes well beyond what standard Business Central permission sets were designed to deliver.
Evaluating Specialist Authorization Software
Not every organisation needs the same level of control. A 20-person company with no external compliance obligations may manage with careful manual configuration. Once headcount exceeds roughly 50 users, or once external audits enter the picture, the economics shift decisively in favour of specialist software that automates what would otherwise consume days of manual effort each quarter.
When evaluating 2-Controlware solutions or comparable products, practical questions matter more than feature lists. Does the tool integrate natively with Business Central without middleware? Can it handle multi-environment setups for organisations with central management needs? Does it produce audit-ready reports without hours of manual data extraction? These questions determine whether a tool genuinely saves time or simply adds another system to maintain.
Track record also deserves weight in the selection process. A vendor that has spent over 17 years solving authorization problems across NAV and Business Central has encountered edge cases that newer entrants cannot anticipate. That accumulated knowledge shows up in product design, support quality and the speed with which new Business Central releases are covered, all factors that only become visible after implementation.
Steps That Reduce Risk Straight Away
Regardless of which tools you select, several actions can improve your authorization posture immediately. Document your current role design in full. If no one can explain why a particular user holds a specific permission, that permission is a risk. Map your most critical processes, such as procure-to-pay, and identify every point where a segregation of duties conflict could arise.
Establish a review cadence as well. Quarterly permission reviews are common, but monthly reviews suit organisations subject to SOx or DORA far better. Automated monitoring makes this manageable even for lean IT teams of two or three people. Without automation, reviews tend to slip down the priority list until the next audit reminder lands in someone’s inbox.
