Skip to the content

Approval of authorizations: Who is allowed to do what?

Are you 'in control' of the authorizations in Dynamics NAV and 365 Business Central (BC)? Do you know how authorizations are requested and granted? In practice, users often report that they get an error message when performing an operation that they are supposed to be able to do. But is that really the case? What happens to such reports? Are the authorizations simply grated or is there a procedure for this?

Dynamics NAV and Dynamics 365 Business Central do not have a solution for this. Permission sets or user groups are directly linked to the user. Any documentation and approval takes place outside the system.

Granting and revoking permissions with Authorization Box

Authorization Box is used for granting and revoking permissions in NAV and BC. Within Authorization Box, permissions are granted on organization role level (Role Based Access).

During initial setup the correct permission sets are linked to the organization roles. Granting or revoking these roles is registered via authorization requests. This process is what we call “User Management”.

We recommend using the authorization request approval functionality to ensure that the correct action is taken. This way, after an authorization request is created by, for example, the application manager, the request requires approval by one or multiple approvers, such as controllers or the division manager. Only after the required number of approvers have given their approval, the authorizations are processed into Microsoft Dynamics.

It is possible to request more approvers than the default amount for specific organizational roles. There is also the possibility to appoint specific approvers to organizational roles, so the approval of these specific approvers is required. This second option can be useful for organization roles to which critical permissions are linked.

In the approval request, all information about the change that takes place after the approval is presented. This makes it easier to see which authorizations will be granted or revoked after processing. An approval request, naturally, can also be rejected. A comment can be entered here, so that the reason for rejection is clear to the requester.

Approval in Authorization Framework Management

User management is the most significant part of Authorization management. However, the “Authorization Framework Management” process is just as critical. The Authorization Framework consists of organization roles, permission set groups and company groups. Autorization Box not only allows approval of authorization requests but also approval of changes in the authorization framework. The importance of this is not always recognized and therefore will be further explained below.

Once you have Authorization Box set up, users are linked to one or multiple organization roles. Changing an organization role has an immediate effect on all users linked to this role. For example, when the permission set SUPER is accidentally or maliciously added to the organization role 'Purchaser', all users linked to this organization role immediately get full control in Dynamics NAV or BC. When approval of authorization framework changes like these is required, accidents or fraud can be prevented. The same applies to changes in an authorization set group. If this group is linked to an organization role, the change will be processed directly on the linked users.

Finally, the company group. Organization roles are optionally assigned to users for a specific company or company group. If a company is added to a company group, this will affect users with assigned organization roles for that company group. The authorizations in the organization role are therefore granted to an additional company for which approval is required.

Authorization Box benefits

With Authorization Box you remain in control of the authorizations in Dynamics NAV or BC. Using the approval functionality, changes in the authorizations trough either User Management or Authorization Framework Management will require the data or process owners’ approval.

All functionality related to approval within Authorization Box once again at a glance:

  • Approval configurable on:
    • Authorization requests;
    • Organization roles;
    • Permission set Groups;
    • Company groups.
  • Specific number of approvers per organization role;
  • Specific approvers per organization role;
  • Specific number of approvers per authorization framework type.


Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.