20 April 2026

Stop over-engineering permissions: secure Business Central faster and smarter

In the world of Microsoft Dynamics 365 Business Central, security is often viewed as a "necessary evil." We set up permissions because auditors require it, but also to prevent costly mistakes and ensure accountability. However, many organizations fall into the trap of over-engineering: creating permission structures so complex that they become a nightmare to maintain. 

Read more

Traditional permission management relies on manually adding every single permission a user needs. This "Include-only" mindset leads to: 

  • Time-consuming onboarding: It takes too long to get new employees up and running. 
  • Management overhead: Every role change or system update requires manual adjustments. 
  • Human error: With hundreds of tables and objects, it’s easy to miss a critical restriction. 

The solution: the "exclude" strategy 

The "exclude" functionality in Business Central is a game-changer. Instead of building a wall brick by brick, you start with a broad foundation and "carve out" what is sensitive. This method is faster, more flexible, and significantly reduces the risk of internal control failures. 

A practical 4-step guide to simplified security 

How do you put this into practice? Follow these four steps to build a robust authorization framework: 

Step 1: Identify your "no-go" zones 

Start by identifying sensitive pages and reports that not everyone should see. Think of the Chart of Accounts, Ledger Entries, or sensitive Financial Reports. These are the items you will eventually exclude from your general users. Create permission sets with these pages and reports. 

Step 2: Create task-specific "small" sets 

Instead of massive permission sets, create small, focused sets for specific tasks (e.g., "post purchase invoice"). 

  • Focus: Only the core tables (e.g., Tables 122 and 123). 
  • Permissions: Only give Insert, Modify, and Delete (IMD) rights. 
  • Naming Tip: Use a clear convention like US-PUR INVOICE.  

Step 3: Create a general set for all users 

This is your foundation. Create a general set (like US-GEN ALL) that includes: 

  • Read access to all Table Data. 
  • Execute (X) access to all other objects. 
  • The magic step: exclude the in step 1 created sensitive sets and the specific task sets from Step 2. This ensures users have a working system without having access to "the (sensitive) keys to the vault."  

Step 4: Group Permissions into Roles 

Finally, combine your US-GEN ALL set with the specific task sets to create functional roles, such as an AP Clerk or AP Manager. This modular approach makes it easy to see exactly what a user can dao.

When to use this method? 

While the traditional "include" approach still has its place in more complex or high-security environments, the exclude method is the perfect choice for smaller or simpler environments where speed and manageability are priorities. 
 

The bottom line 

Security shouldn't be a bottleneck. By stopping the over-engineering of permissions and embracing the exclude functionality, you can achieve a compliant, "in control" environment without the administrative headache. 

To listing
Request a demo

2-Controlware B.V.

Haagsemarkt 1
4813 BA Breda
The Netherlands
+31 (0)76 5019470
sales@2-control.nl

VAT NL819640347B01
COC 20142369

2-Controlware Inc.

228 E45th St, #9E
10017 New York
United States of America

Subscribe to our newsletter

Stay up to date with the latest news about our authorization software for Dynamics.