Why Authorization Management Has Become a Leadership Priority

There was a time when access rights inside an ERP system were configured once and rarely revisited. That time is over. For organizations running Microsoft Dynamics 365 Business Central, authorization management now sits at the intersection of compliance, data security, and operational risk.

Regulatory frameworks like SOx and GDPR have forced leadership teams to take a harder look at who can access what inside their core business systems. The question is no longer just technical. It is strategic, because a single misconfigured user role can expose sensitive financial data or violate segregation of duties requirements that auditors flag within minutes.

Via 2-controlware, a Dutch software company based in Breda that has spent 17 years building authorization tools for Microsoft Dynamics environments, the conversation around access control has shifted noticeably. "We used to explain what authorization management is," says Rik Harmsen van der Vliet, who leads the company. "Now the question from IT managers and CFOs is how to do it properly, not whether it matters."

The Shift from IT Task to Boardroom Concern

Authorization management used to be handled by a system administrator who copied user profiles when onboarding new employees. That approach worked when organizations had a handful of users and limited compliance obligations. Today, a mid-sized company running Business Central might have dozens of roles with overlapping permissions that nobody fully oversees.

Rik Harmsen van der Vliet points to a specific pattern he has observed over the years. "A financial controller discovers during an audit that three people in procurement can both approve and process purchase orders. That is a segregation of duties conflict, and it often exists because nobody designed the authorization structure deliberately." The fix, he argues, requires leadership involvement, not just a technical patch.

This mirrors what many compliance officers report across industries. When authorization is treated as an afterthought, the resulting access structure becomes a patchwork of inherited permissions and ad hoc adjustments. Cleaning it up demands someone with the authority to make organizational decisions about who should be able to do what.

What Segregation of Duties Actually Demands from Leaders

Segregation of duties, often abbreviated as SoD, is one of the most concrete areas where access control becomes a leadership discipline. The principle is straightforward: no single employee should control all steps of a critical business process. In practice, enforcing this inside an ERP system requires mapping business processes to system roles, something that IT alone cannot decide.

"We implemented stricter access controls after our external auditor raised concerns about our purchase-to-pay cycle," says Geert, a finance director at a manufacturing company in the south of the Netherlands. "What surprised me was how involved I had to be personally. You cannot delegate this entirely to IT because the decisions are fundamentally about business risk." His experience is far from unique among organizations that operate under regulatory scrutiny.

Tools that detect SoD conflicts automatically have made the technical side more manageable. The harder part remains the organizational conversation: which roles need to be separated, and what happens when a small team cannot easily split responsibilities. Those are judgment calls that require someone who understands both the business operations and the risk appetite.

Building an Authorization Strategy That Lasts

A common mistake is treating authorization management as a one-time cleanup project. User roles change constantly. People switch departments, take on new responsibilities, or leave the organization, and without continuous monitoring, even a perfectly designed authorization structure degrades within months.

"After we restructured our roles in Business Central, we assumed the job was done," says Linda, an IT manager at a logistics firm with operations across three European countries. "Six months later, we found that temporary access rights granted during a system migration were still active. That was a wake-up call." Her team now runs quarterly reviews, supported by automated monitoring via 2-controlware that flags deviations from the intended role design.

Rik Harmsen van der Vliet describes this as the difference between designing authorization and governing it. "The design phase gets all the attention because it is visible and urgent. Governance is quieter but equally important. If you do not monitor what happens after go-live, you are essentially hoping nothing goes wrong." His company's philosophy, which he summarizes as putting enjoyment and respect before profit, shapes how they approach these long-term partnerships.

Why This Conversation Belongs in Leadership Circles

For professionals focused on leadership development, the relevance of authorization governance is more tangible than it may appear at first glance. It touches financial integrity, regulatory compliance, data privacy, and operational efficiency. The leaders who recognize this tend to avoid the costly surprises that surface during audits or after data breaches.

Organizations working with Microsoft Dynamics 365 Business Central face this challenge in a particularly concrete way, because the system's flexibility means authorization structures can become complex quickly. Having the right tooling matters, but having a leadership mindset that treats access control as an ongoing responsibility matters just as much. The companies that get this right are the ones where someone at the top consistently owns the question: who has access to what, and why.