29 April 2026

The "soft security" trap: Why your role center isn't a shield

In Microsoft Dynamics 365 Business Central, the first thing a user sees upon logging in is their Role Center. Based on their assigned Profile, the interface is neatly organized with the specific cues, actions, and navigation menus relevant to their job.

For many, it feels like security. If a user can't see the "Chart of Accounts" or the "General Ledger Setup" in their menu, it stands to reason they can't access them, right?

Wrong. This is what we call the "Soft Security" trap, and falling for it can leave your business data wide open to unauthorized access.

Read more

What is soft security?

Soft security refers to the visual configuration of the user interface. By assigning a Profile (like Sales Order Processor or Purchasing Agent), you are essentially tailoring the user's workspace to improve efficiency and clarity.

The key thing to understand is that a Profile and a Permission Set are two completely separate concepts in Business Central. A Profile controls what a user sees. A Permission Set controls what a user can do. Configuring one has absolutely no effect on the other.

Business Central actually has three distinct layers of UI customization, none of which touch the security layer beneath them. At the top, administrators configure Profile-level layouts for entire roles. Below that, individual users can personalize their own workspace, and those personal changes can even override the admin's profile settings. All of this sits entirely above the permission system, which operates independently.

While Profiles are excellent for user experience, they do not impose any hard technical restrictions on what a user can actually do in the system.

3 Ways users can bypass "soft security"

If you rely solely on hiding menu items without backing them up with hard Permission Sets, a curious or malicious user can still reach sensitive data in seconds.

1. The "Tell Me" (Search) Function

The search bar (Alt+Q) is the most common bypass route. Even if a page is completely hidden from a user's Role Center, typing its name into the search bar will surface it instantly. If the underlying permissions allow it, the user can open that page and view or edit data right away. Developers can limit which pages appear in Tell Me results, but this is still a UI-level measure. It does nothing to block access at the system level.

2. URL Manipulation

Business Central is a web-based application, and every page, report, and record has a unique ID embedded in the URL. An experienced user can simply edit the URL in their browser to navigate directly to a sensitive page, skipping the navigation menu entirely. No technical expertise required.

3. Personalization and Design Mode

Users can "Personalize" their own screens to reveal fields and actions that were intentionally removed from the standard Profile layout. Administrators can disable personalization on a per-profile basis, but even then, this only affects what is visible on screen. It does not restrict what the system will actually allow the user to do if they find another route in.

Why use hard security?

To truly secure your environment, you must go beyond the interface and work with Permission Sets, which operate at the object level.

The moment a user attempts any action in Business Central, whether it is reading a record, inserting data, modifying a field, deleting an entry, or executing a process, the system checks whether their assigned Permission Sets allow it. These five permission types (Read, Insert, Modify, Delete, Execute) are enforced regardless of what the user sees on screen. If a user searches for the "Bank Account" table without the Read permission, Business Central blocks them immediately, no matter which Profile they have.

Beyond object-level security, Business Central also supports record-level security through security filters. This means you can restrict a user not just to certain pages or tables, but to specific records within those tables. A regional sales rep, for example, can be limited to seeing only the customers in their own territory, even if they have general access to the Customer page.

The best of both worlds

Profiles and Permission Sets are not competing tools. They are complementary, and a well-designed authorization setup uses both intentionally.

Use Profiles to create a clean, focused workspace for each role. Show users what they need and remove the clutter that slows them down. Use Permission Sets to draw the actual security boundaries, granting access only to the objects and records each role genuinely requires.

The right order matters too: permissions should always be defined first, based on what each role actually needs to do. The profile is then layered on top to make that experience as smooth and intuitive as possible.

Conclusion

Think of a Profile as a curtain and Permission Sets as a locked door. A curtain might hide what is behind it, but it will not stop someone from walking through. Only a locked door, built on a foundation of well-structured Permission Sets, provides the security your business requires.

Is your Business Central environment relying on curtains instead of locks? Download our whitepaper to learn how to design a permissions framework that actually protects your data.

To listing

Latest blogs

1 September 2025 Employee offboarding: The overlooked key to cybersecurity
13 August 2025 Who should be responsible for Authorization Box?
17 July 2025 Secure Remote Work with 2-Controlware: Optimizing Authorizations in Business Central
9 June 2025 Export & Import in Authorization Box: Backup & Organization Chart
22 April 2025 SUPER, the dreaded permission set in Dynamics 365 BC
18 March 2025 Monitoring Organization Roles: A New Way to Review Analysis Results

2-Controlware B.V.

Haagsemarkt 1
4813 BA Breda
The Netherlands
+31 (0)76 5019470
sales@2-control.nl

VAT NL819640347B01
COC 20142369

2-Controlware Inc.

228 E45th St, #9E
10017 New York
United States of America

Subscribe to our newsletter

Stay up to date with the latest news about our authorization software for Dynamics.