Roles and permissions in Business Central
As ERP manager you must ensure that users have access to the right data and functions, have the prerequisites to perform their work efficiently, and don’t make mistakes because they have access to something they shouldn’t touch. This chapter walks through Role Centers, profile customization, permission sets, security groups, change log, field monitoring, and approval workflows.
The four basic building blocks
You need to learn four things in this chapter:
| Building block | What it determines |
|---|---|
| Roles (Role Centers) | Which start page and which shortcuts the user encounters |
| Permission sets | What the user can technically do in the system |
| Security groups | The structured and scalable way to manage permissions |
| Controls (change log, field monitoring, approval workflows) | The options for monitoring and governing what happens to data |
Role Centers: the user’s start page
Role Centers are the system’s start page and help the individual user get an overview and easy access to the most relevant functions.
Too many Business Central users start with a random Role Center and stick with it without thinking further about it. The Role Centers are built for specific roles, so it is best to use the correct Role Center and customize it to the user’s tasks. Many employees wear several hats and can benefit from switching between Role Centers.
Role Center isn’t security
The role doesn’t determine what the user can do in the system. It only determines what the user sees on their start page. If a user has super permissions, they can still search for all functions, even though the Role Center only shows shortcuts to a limited number.
Standard Role Centers are usually enough
Most companies use the standard Role Centers, and that works fine. Microsoft is good at making Role Centers that cover the typical roles. As ERP manager you should have a position on which Role Centers your employees should use. You can narrow the list of available Role Centers so that users can only choose between the ones that make sense in your company. You do that under profiles in Business Central.
Help users explore Role Centers
As ERP manager you should help users explore and customize the Role Centers. If you bring the functions and information that are important for a specific role to the front of the Role Center, you help the users in that role get more out of Business Central.
| Customization type | Who sees the change |
|---|---|
| Personalization | Only the individual user |
| Profile customization | All users with the same profile |
| App-based customization | The entire company through a custom-built solution |
Users can customize their own Role Center with personalization, and you can as administrator make profile customizations. If you need something more extensive, there are apps that make it easy to build company-specific Role Centers with their own structure and layout.
Profile customization: changes that apply to an entire role
Business Central has many predefined profiles that cover everything from accountant to sales manager to warehouse employee. As administrator you can customize the page layout for a profile so that all users with that profile see the customized pages.
How to customize a profile
You select “Customize Pages” from the profile card. Business Central opens in a customization mode where you can move, hide, or add fields and actions, exactly as a user does with personalization. The difference is that the changes apply to all users with the profile.
Copy an existing profile
If you need a profile that resembles an existing one but with adjustments, you can copy a profile and modify the copy. That is useful when you have several teams working in the same areas of Business Central but in different ways.
Clear the user’s personalization in case of conflict
If a user has made personal customizations that conflict with your profile customizations, you can clear the user’s personalization from the profile card. That is also where you assign profiles to users.
Permission sets: what the user can actually do
Permission sets determine what a user can actually do in Business Central. For each table in the system you can determine whether the user may:
- insert new records
- read data
- modify existing records
- delete records
The problem with giving everyone super permissions
Business Central is a large system with many functional areas. Many companies assign all permissions to every user and turn them all into super users with access to everything.
That is a poor solution. Everyone knows it. We repeatedly see companies that are aware it isn’t smart but have taken the easy path. Typically it happens when a new employee starts and there is no time to define permissions. Then someone says “just give her super”, and it never gets changed.
It causes problems when an audit comes around. One of the first things an auditor asks for is a list of your super users. If the answer is “all employees”, it gets embarrassing.
Business questions you must address
There are many business questions to address:
- who may create a purchase order
- who may make a payment to a vendor
- who may edit a vendor’s master data and bank details
The combination of the three is problematic. If a vendor employee must be able to perform all three things at different times, you need to set up not only permission sets but also business processes with for example approval workflows.
A pragmatic approach to permissions
We recommend a pragmatic approach. Is it dangerous that a user can see the exchange rates in the system? Probably not. Is it dangerous that a user can edit a vendor’s bank details? Yes, and that must be restricted to selected employees.
Focus the effort on the data that is critical in the business, rather than trying to control every single table.
Use Microsoft’s predefined permission sets as a foundation
Microsoft has created a range of standard permission sets that cover the most common roles. They are grouped by typical user roles and contain the necessary read, modify, insert, and delete permissions.
Use Microsoft’s predefined permission sets as a foundation. Avoid building your own permission sets from scratch, where you choose table by table yourself.
Why custom permission sets break at updates
Every time Microsoft updates Business Central, they add new tables and pages, and they make sure to update their own predefined sets. If you have built your own permission sets manually, you don’t have the new tables included.
We have seen the consequence in practice. When Business Central is updated, tables are missing from the manually built sets, and nobody can sign in. You can avoid that by using the predefined sets.
Composite permission sets replace user groups
In the old days you used user groups in Business Central to bundle users and permission sets together. User groups are now retired. They are replaced by two mechanisms:
| Mechanism | What it does |
|---|---|
| Security groups | Based on Microsoft Entra ID. Used to group users and assign permission sets together. |
| Composite permission sets | Permission sets that include other permission sets as building blocks. |
Example of a composite permission set
You can create a composite permission set you call “Approver” and include the relevant Microsoft standard sets plus any extra permissions for, for example, Continia Document Capture, Expense Management, or other apps. You get a kind of group, built as a permission set that contains multiple permission sets.
Benefits of composite permission sets
When Microsoft updates their standard sets, the updates automatically flow into your composite set. You avoid an outdated permission set missing new tables.
Exclusion at the top level
One of the important options with composite permission sets is that you can exclude permissions at the top level. That is different from the older Dynamics NAV solutions, where you could only grant positive permissions. In Business Central you can say “this user must not have access to G/L entries”, and the exclusion takes effect no matter how many permission sets are otherwise added.
Use the predefined permission sets as building blocks, combine them in a composite permission set, and exclude the critical areas that users shouldn’t have access to.
Testing permission sets: trial and error with one user
Setting up permissions is usually a trial-and-error process. No ERP manager has full insight into every corner of every employee’s role, and even experienced consultants cannot think through all scenarios in the first round.
How to test new permissions
A good approach:
- Make a draft permission set for each role
- Select one employee as a guinea pig
- Remove Super from that user and add the new permission set
- Have the employee test their daily work
- When the employee runs into something they lack access to, they report it
- Adjust the set continuously
- Only roll out to the rest of the group when the set works for the test user
Why you find more in testing than on paper
A role description rarely captures everything. An order taker may also adjust reservations on the warehouse. A support employee may work in more modules than the ERP manager realized. You only find that out in testing.
Internal task or partner task
The task can be performed internally if you want to learn it. Many companies choose to get help from their ERP partner to make the first drafts and then maintain them themselves.
Permissions Overview: new oversight from 2026
In 2026 Microsoft introduced a new page called “Permissions Overview”. It provides a centralized overview of all permission sets across installed apps and extensions.
With Permissions Overview you can:
- see which permission sets grant access to a specific object (for example which sets allow editing of customer data)
- see which security groups and users are linked to each permission set
- perform security audits faster
- troubleshoot access problems without navigating across many pages
- document for the audit who has access to what
Security groups connect Entra ID to Business Central
Security groups are the third part of the puzzle. With security groups you connect Microsoft Entra ID (formerly Active Directory) with permission sets in Business Central.
That is Microsoft’s standard way to manage user access, not only in Business Central but across the entire Microsoft platform. Business Central previously had its own system with user groups, but it is now replaced by security groups in Entra ID. Business Central follows the same model as the rest of your Microsoft infrastructure.
What Entra ID is
Entra ID is essentially a directory of all the company’s users. You can access it through the Microsoft 365 admin center. Technically Entra ID and Microsoft 365 are two different portals, but you can manage users and groups in both places. When we say “Entra ID” or “Microsoft 365”, it is in practice the same user database.
How to create and connect security groups
In Entra ID you create security groups such as “BC Access Sales”, “BC Warehouse”, or “BC Approvers”. In Business Central you connect these groups to specific permission sets. When you add an employee to the security group in Entra ID, they automatically get the permissions linked to the group in Business Central.
License assignment happens in Entra ID, not in Business Central
Security groups govern the assignment of permission sets in Business Central. They don’t govern license assignment. That happens in Entra ID or the Microsoft 365 admin center.
If you create a security group for approvers and link a Team Member license to the group in Entra ID, the license is assigned automatically when a user is added. They are two separate setups:
| Setup | Where you do it |
|---|---|
| License | Entra ID / Microsoft 365 admin center |
| Permission set | Business Central |
In practice IT and the business work together. IT sets up the security groups and license assignment in Entra ID. The ERP manager links permission sets to the groups inside Business Central.
The license type is the upper limit
The license type sets an upper limit for what the user can do, regardless of which permission sets you assign. A Team Member can never post, even if you assign super user permissions. That is limited by the license type. Read more about licenses in a separate chapter.
Environment management with security groups
If you have multiple environments, for example one for each country your business operates in, you can use security groups to manage access to each environment. Create a group called “BC Country 1” and add it to the country 1 environment in the admin center. Then only members of that group can sign in to that Business Central.
It is a simple and effective way to keep control of access when you have environments across countries or legal entities.
License configuration: a detail many overlook
An important detail many overlook: Business Central has a page called “License Configuration”. It determines which default permissions are automatically assigned when a new user signs in for the first time.
If you choose to manage permission sets with security groups, you should remove the default setup in license configuration. Otherwise your users end up with two sources of permissions: those from the security group and those from license configuration. That creates confusion and makes it hard to see what a user really has access to.
On a user card in Business Central you can see two sections: “Permissions” (assigned in license configuration) and “Permissions from security group”. The user’s combined permissions are the sum of both. We recommend that you stick to security groups.
Why it pays to invest time in permissions
Many companies still don’t have a grip on permissions. It is like with the seatbelt. You don’t need it until things go wrong.
When the audit asks
When the audit asks, or an employee accidentally changes data she shouldn’t have had access to, you as ERP manager are left with the problem.
When you have completed the setup work with security groups and permission sets, it is easier to show the audit that things are under control. You can open the security group and show the member list. You typically have only one or two super users: the ones who administer Business Central.
The administrative gain in everyday work
There is also an administrative gain in everyday work:
- new employees can be onboarded faster
- fewer “can’t you just give her super” situations
- a clear structure that everyone can understand and follow
Access to others’ data and history
Even if a user has access to an area, it isn’t certain that they should see all data in that area. Three examples:
- a salesperson naturally has access to sales orders, but should the salesperson see all colleagues’ sales orders or only their own
- an accounting employee has access to sent emails from Business Central, but should the employee see the emails that colleagues in other departments have sent
- in an approver portal such as Continia Document Capture, should an approver see the entire archive of previous purchase documents or only the documents they have approved themselves
Permission sets don’t answer these questions
These are questions that permission sets don’t answer. Permission sets decide whether you technically have access. Access policies decide whether you can see others’ records within the area you have access to.
Email policies as an example
The sent emails sit in Business Central, and you can as ERP administrator set up who may see which emails. For each user you can choose one of three policies:
| Policy | What the user sees |
|---|---|
| Own only | Only emails the user has sent themselves |
| All | All emails sent from Business Central |
| Conditional on related records | Others’ emails if the user has access to both the invoice and the customer |
The default setting may not be what you want
If you don’t specify a policy for a user, Business Central uses the default “View if access to all related records”. Users can by default see each other’s emails. That is worth knowing because it may not be the setting you want.
You should apply the same consideration to all areas where users can see historical data, and decide what is appropriate in your company.
Change Log and Field Monitoring: two types of monitoring
Access permissions aren’t everything. You must supplement them with tools that monitor and govern business processes. Business Central has two separate monitoring functions that it is important not to confuse:
| Function | What it does | Type of control |
|---|---|---|
| Change Log | Logs changes at table level. You choose tables and fields. | Reactive (backward-looking) |
| Field Monitoring | Sends notification as soon as the value of a specific field is changed. | Proactive (real-time) |
How to use Change Log
If you enable Change Log on changes to bank details on vendors, Business Central logs all changes. You can reactively see exactly who edited a vendor’s bank account.
Most auditors expect you to have Change Log enabled on bank details, but you can apply it to many other areas.
Change Log isn’t a security measure. It is only history. You can use Change Log to document breaches of business processes or to find the causes of problems, for example when someone changed data in good faith but it turns out to have an unintended consequence elsewhere.
How to use Field Monitoring
Field Monitoring is a newer function targeted at sensitive fields. You mark specific fields, for example a vendor’s IBAN number or the company’s bank account details, and get an email notification as soon as someone changes the value. Field Monitoring is more focused and proactive. Instead of going through a log, you are notified immediately.
Only monitor what you need
Logs and monitoring are very useful, but only monitor what you need. Use it on the critical areas such as payment details and unit costs. You shouldn’t log all postings. That sets Business Central up for double work and creates a lot of data in the database.
Retention policy for logs
Consider your retention policy for logs:
- changes in payment details you may want to be able to see many years back
- changes in order confirmations you rarely need to store for very long
Decide what you want to use each log for.
Approval workflows as proactive control
Logs and monitoring are reactive controls. If you want to proactively avoid unwanted data changes, you need to set up an approval workflow. That is a process where a change requires one or more employees to approve it.
Two workflow systems in Business Central
Business Central has two separate workflow systems that can be used for approvals:
| System | Where you build | Best for |
|---|---|---|
| Built-in workflows in Business Central | The Workflow page in Business Central | Simple, standardized approvals |
| Power Automate | The Power Automate platform via a connector | Advanced scenarios across systems |
How to build a built-in workflow
You create a workflow in Business Central by choosing:
- an event (for example “a purchase order is released”)
- a condition (for example “the amount exceeds a defined threshold”)
- an action (for example “send an approval request to the manager”)
Business Central provides a range of templates you can copy and adapt.
Power Automate for more advanced flows
Power Automate is Microsoft’s no-code/low-code process tool. It can be connected to Business Central via a connector and contains functionality such as notifications in Teams and Outlook and integration with other systems.
The two systems complement each other. An approval workflow you create in Power Automate is automatically added to the list of workflows in Business Central. You use the built-in workflows for simple approvals and Power Automate for more advanced scenarios.
You probably already have access to Power Automate through your Microsoft 365 license. It makes sense to build all kinds of approval workflows there, especially if you need approvals beyond the standard events that Business Central’s built-in workflows support.
Why you should have approval workflows
As ERP administrator you should consider which areas it makes sense to apply approval workflows to. Approval workflows are not only about protecting the company from fraud. They are also about:
- ensuring data quality
- ensuring that business processes are followed
- avoiding errors that lead to manual cleanup of data
- creating credibility around the business processes