ERP systems centralize vital financial and operational data—making them powerful tools, but also prime targets for fraud and misuse without strong security and access controls. Ensuring the security of business-critical data is a fundamental step in protecting your organization’s sensitive financial data.
If your organization runs Microsoft Dynamics 365 Business Central, you understand how essential this Enterprise Resource Planning (ERP) application is to your financial operations. However, despite their criticality, ERPs are often left under-protected when it comes to user access.
Instances of fraud due to business application users who are overprovisioned are more common than you may think. For example, in July 2025, a Miami woman was charged with embezzling more than $600,000 from her employer while working as an executive assistant. Using her access to payroll and accounting systems she issued unauthorized checks and payments to herself and her son over the course of 19 months.
Even well-implemented ERPs, like Dynamics 365 BC, can become vulnerable without access hygiene. This is where User Access Reviews (UARs) come in.
UARs seek to answer 3 main questions:
In many organizations, UARs happen on an annual or quarterly basis. The process for conducting UARs, also known as Access Certification campaigns, is typically owned by the IT department, with application owners not engaged.
Often, the IT team uses spreadsheets to keep track of access reviews and must manually reach out and remind application owners or team managers to complete their reviews. When done manually, UARs are time-consuming, siloed, and painful—which greatly reduces their effectiveness.
There is also the issue of “review fatigue”. Reviewers often lack visibility into roles, permission sets, and Segregation of Duties (SoD) conflicts, making reviews confusing and ineffective. When a role name is technical, reviewers can’t understand what a user can do with their access and the UAR becomes a “check the box” exercise.
1. Aggregate permission sets and indirect access: Combinations of roles can create hidden access paths. Indirect access allows users to perform functions not explicitly assigned.
2. Security group access: Configuring security based on Entra ID groups can make user setup and maintenance easier, but can also make reporting on what access a user has and how they are getting that access harder to do.
3. Excluded permissions: Using excluded permissions to remove access from already configured permission sets can make setup and maintenance easier, but it can also make reporting on what access a user has more difficult.
4. Out-of-the-box permission sets are over-permissive: Native roles are designed from a business functional standpoint, not for security and compliance. This means they often include access beyond a user’s job scope.
5. Lack of visibility into what users can actually do with access: Just because a permission set is named “Read-only”, doesn’t mean that other permissions aren’t assigned. Real access depends on underlying object-level permissions.
Start your access review program by focusing on roles that pose the greatest risk, such as those with financial posting rights, vendor master access, or elevated permissions like the “Super” role. These roles are often overlooked after go-live, leading to Segregation of Duties conflicts and increased exposure to fraud or error. A risk-based approach ensures your efforts are targeted and impactful.
Manual processes introduce human error and slow down reviews. Replace spreadsheets with automated workflows that route tasks to the right approvers, send reminders, and escalate overdue items. Automation also helps identify disabled or orphaned users who retain access through indirect roles, improving both efficiency and accuracy
Dynamics 365 Business Central includes powerful features to support secure role design:
Using these tools helps streamline configuration and uncover risks that might otherwise go unnoticed.
IT teams may understand the technical side of permissions, but business owners know what users should be able to do. Involve application stakeholders in every review cycle to ensure access aligns with job responsibilities. Having IT and business owners communicating and working together allows for clear guidance on user and permission set access so your business can make informed decisions.
Security isn’t a one-time exercise. As your organization evolves, so do roles and responsibilities. Establish a recurring review process to catch outdated access, overprovisioning, and permission set design issues. Use insights from past reviews to continuously improve your security posture and reduce manual cleanup in future cycles.
Bonus tip
Consider using a purpose-built access governance solution like Fastpath Access Certification for D365BC. It automates review workflows, eliminates spreadsheets, and reduces fatigue, making it easier to stay compliant and audit-ready.
Effective user access reviews in Microsoft Dynamics 365 Business Central don’t have to be overwhelming. By focusing on these 5 lightweight strategies, you can reduce risk and improve audit readiness.
To learn more about trends and tips for access certifications, check out our on-demand webinar: The Evolution of Access Certifications—Optional No More.
If you‘re attending Community Summit from October 20-23, 2025 in Orlando, FL, stop by to see us at booth #1706 for a demo of new features and functionality for D365. We also have 8 sessions on the agenda, including our partner showcase on Monday, October 20th from 11:00am-12:00pm where we’ll cover the latest and greatest solutions.