Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Dynamics 365 BC access reviews: where the governance gap shows up


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: User access reviews in Microsoft Dynamics 365 Business Central often fail when teams rely on spreadsheets, low-context reviewers, and infrequent certification cycles, leaving overprovisioned financial access, hidden indirect entitlements, and SoD conflicts untouched, according to Delinea. The governance issue is not review volume alone, but whether access reviews can actually expose what users can do with business-critical permissions.

NHIMG editorial — based on content published by Delinea: User access reviews for Microsoft Dynamics 365 BC, lightweight strategies that work

By the numbers:

Questions worth separating out

Q: How should security teams run access reviews for ERP systems like Dynamics 365 BC?

A: They should start with the highest-risk entitlements, use reviewers who understand business process, and validate effective access rather than relying on role names.

Q: Why do manual access certification campaigns fail in business applications?

A: Manual campaigns fail because spreadsheets and email reminders do not give reviewers enough context to judge effective access.

Q: What breaks when indirect permissions are ignored in ERP reviews?

A: The review stops reflecting actual privilege.

Practitioner guidance

  • Prioritise high-risk ERP roles first Start with financial posting rights, vendor master access, approval roles, and any account with a Super-style entitlement.
  • Review effective access, not role labels Use permission set recording and indirect access analysis to see what a user can actually do, including permissions inherited through groups or excluded from composite roles.
  • Replace spreadsheet campaigns with workflow routing Route reviews to the right business owner, send automated reminders, and escalate overdue decisions so certification is accountable instead of purely administrative.

What's in the full article

Delinea's full article covers the operational detail this post intentionally leaves for the source:

  • A practical walkthrough for reviewing Dynamics 365 Business Central permissions that involve indirect access and excluded permissions
  • Examples of high-risk ERP roles that should be prioritised first in a certification cycle
  • Workflow considerations for replacing spreadsheet-based review tracking with automated routing and escalation
  • Guidance on using native D365BC security features such as Permission Set Recording and Indirect Access Analysis

👉 Read Delinea’s guidance on lightweight user access reviews for Dynamics 365 BC →

Dynamics 365 BC access reviews: where the governance gap shows up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Access reviews fail when they certify assignment, not capability. Business Central illustrates a common governance error: teams approve named roles without understanding the effective permissions those roles create. Aggregate permission sets and indirect access mean the reviewer may sign off on something they never actually saw, which turns certification into documentation rather than control. The practitioner takeaway is that identity governance must validate what the user can do, not just what the directory says they have.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who should own ERP access reviews, IT or business owners?

A: Business owners should make the access decision because they understand what each entitlement means in practice, while IT should provide the workflow, evidence, and reporting. If IT owns the decision without business context, reviewers are likely to approve access they do not fully understand.

👉 Read our full editorial: User access reviews for Dynamics 365 BC need risk-based rigor



   
ReplyQuote
Share: