Harnessing Dynamics 365 Business Central Permissions the Righter Way: Reigning In Attachment Chaos and Securing Your ERP

Enterprise Resource Planning (ERP) systems like Microsoft Dynamics 365 Business Central serve as the digital backbone of modern organizations, orchestrating financials, supply chain, human resources, and customer relationships in a unified platform.

With so much critical data flowing through one system, control mechanisms can quickly become a major risk factor for both business performance and security. Unchecked user access can lead to data sprawl, compliance breaches, and a loss of trust among stakeholders. 

In this article, we’ll explore why granular access control is vital in any ERP and demonstrate how Business Central’s permission set framework—leveraged “the Righter Way”—provides a scalable, governance‑focused solution to one of the most common pain points: rogue document attachments.

The High Stakes of Access Control in ERP

1. Data Integrity & Compliance
   When users have broad insert or delete rights, critical records can be inadvertently or maliciously altered. Whether it’s a sales order, vendor invoice, or sensitive employee document, lack of appropriate safeguards exposes organizations to audit failures and regulatory penalties.
2. Segregation of Duties (SoD)
   Effective SoD practices require that no single user have end‑to‑end control over a transaction. For example, the person who creates a purchase order should not be able to approve his invoice and process the payment. Permissions in the ERP must enforce these separations to mitigate fraud risk.
3. Operational Efficiency
   Overprivileged users often generate clutter like unnecessary attachments, test records, or erroneous data entries that bog down system performance and cause procedural confusion. Cleaner, more focused access rights translate into faster searches, streamlined workflows, and lower storage costs.
4. Audit Trail & Accountability
   In a highly regulated environment, knowing who did what, when, and why is critical. Restricting attachment capabilities ensures that every document added or removed is attributable to a user who legitimately needs that right, a key pillar in any audit‑ready organization.

Business Central’s Permission Set Framework

Business Central delivers a flexible permission set architecture that allows administrators to:

• Define Table Level Rights: Grant Read, Insert, Modify, or Delete on individual tables (e.g., Document Attachment, Tenant Media).
• Use Include/Exclude Record Filters: Limit those rights further by specific record relations (for example, only Purchase Orders).
• Leverage Effective Permissions: Identify inherited or overlapping permissions that might inadvertently expand a user’s capabilities.
• Integrate with Entra Security Groups: Assign permission sets to security groups rather than individual users for simpler, centralized management.

By combining these features, Business Central can enforce the principle of least privilege, ensuring users see only what they need—and nothing more.

Rein In Attachments: The Righter Way Solution

With a clear understanding of why strict access control is non‑negotiable and having seen how Business Central’s permission set framework lets you define, filter, and audit user rights, the next step is to apply these principles to a real‑world challenge. Let’s turn our focus to one of the most pervasive pain points in ERP governance, uncontrolled document attachments, to see exactly how “the Righter Way” approach puts theory into practice. 

The goal: lock down rights at the table level while still empowering the right people to add files where they belong.

The challenge: limit most users to only reading attachments while a handful of users can insert, modify and delete only purchase documents. 

The approach: At its core, our approach uses two distinct permission sets, backed by Entra Security Groups, along with include/exclude filters to tightly control who can attach documents and where. Let’s look at those permission sets.