When a tech startup scales past 25 employees and starts running operations through Microsoft Dynamics 365 Business Central, the initial setup usually prioritises workflows, invoicing, and reporting dashboards. User permissions get configured once during implementation and then largely forgotten. That quiet neglect is precisely where real risk accumulates.
Most founders understand cybersecurity in broad terms. Firewalls, multi-factor authentication, encrypted storage — these concepts appear in every startup playbook written since 2020. But authorisation management inside an ERP system operates at a fundamentally different level, determining who can approve purchase orders, who can modify financial records, and whether a single person can both create vendors and process their payments without any oversight.
A Breda-based company called 2-controlware.com has been developing authorisation software for Microsoft Dynamics for 17 years, which illustrates just how persistent and widespread this gap remains. Their toolset exists because standard ERP configurations rarely match the access governance needs of growing organisations, especially those subject to SOx or GDPR compliance requirements. It is a niche that most tech entrepreneurs only discover once something goes wrong.
The Real Price of Overly Broad Access Rights
In early-stage companies, granting everyone administrator-level access feels practical when the team is small and trust runs high. A Gartner study from 2023 estimated that over 40 per cent of mid-sized organisations had at least one user retaining excessive ERP privileges well beyond their actual role. The consequences rarely look like a dramatic data breach.
More often, the damage is bureaucratic and expensive. An employee accidentally modifies a general ledger entry, or an auditor discovers a separation-of-duties conflict during a routine compliance review. For companies generating between 5 and 50 million euros in annual revenue, a failed audit can delay a funding round or acquisition by three to six months, costing far more than any software licence ever would.
Why Separation of Duties Extends Beyond the Finance Department
Separation of duties has deep roots in financial governance, but in an ERP environment it touches procurement, HR data, inventory management, and customer records alike. The principle is straightforward: no single user should control multiple stages of any critical process. Business Central provides basic role-based access control, yet it was not built to detect conflicts automatically.
If your procurement lead can also approve their own purchase orders, the system will process it without objection unless additional controls are layered on top. Dedicated authorisation tools from specialists such as 2-Controlware add automated conflict detection and user templates that enforce separation-of-duties policies from the moment a new employee account is created. That kind of preventive architecture is hard to replicate with manual processes alone.
Regulatory pressure makes this more than a best-practice conversation. The Dutch Data Protection Authority issued 28 enforcement actions in 2025, several of which involved inadequate access restrictions to personal data stored within business applications. Organisations operating under AVG or SOx requirements cannot treat user authorisation as something to sort out later.
How Continuous Monitoring Replaces the Quarterly Spreadsheet
The traditional approach to reviewing user permissions involves a quarterly export to a spreadsheet, followed by manual line-by-line checks. This method collapses when your organisation is adding five new hires per month or reshuffling team structures every quarter. By the time the next review cycle arrives, the access landscape has already drifted well beyond what was originally approved.
Continuous monitoring changes that dynamic entirely. Automated tools flag permission changes the moment they occur, alerting administrators when a new user receives a combination of rights that violates a predefined policy. The authorisation platform developed by 2-controlware.com incorporates this through modules described as Central Management and Continuous Monitoring, designed to keep oversight matched to the pace of organisational change.
For tech entrepreneurs building on Microsoft’s ecosystem, setting up role templates and monitoring rules at 30 users is a manageable weekend project. Retrofitting those same controls once you reach 300 users, particularly after an external auditor has already flagged deficiencies, becomes a significantly more costly and time-consuming exercise that can consume months of internal resources.
A Practical Starting Point for Business Central Users
Begin by mapping every assigned user role in your Dynamics 365 environment against the tasks people actually perform each working day. In many organisations, this exercise alone reveals that 20 to 30 per cent of active permissions are unnecessary or outdated. Stripping away what is no longer relevant reduces your risk surface before you invest in any additional tooling.
From there, define a separation-of-duties matrix that spells out which task combinations your organisation considers unacceptable. The ability to both create vendor records and approve payments is a classic conflict, but every company will have its own specific risks depending on industry, size, and regulatory exposure. Documenting these explicitly now, even with a team of twelve, saves painful retrospective work when external auditors request evidence in your next compliance cycle.
Growing technology companies in the Netherlands and across Europe are increasingly discovering that ERP governance is not a concern reserved for enterprises with thousands of users. A company with 40 Business Central licences and one careless permission set can face the same audit findings as a multinational. The difference is that smaller organisations have fewer resources to absorb the fallout.
