The Authorization Box authorizes users in Business Central per database through an Organization Chart.
In the Organization Chart, you create Departments and Organization Roles.
Organization Roles have Permission Sets assigned.
Users are assigned to one or multiple Organization Roles through Authorization Requests.
Changes in the Organization Chart will result in Approval Requests.
Go to Authorization Framework => Organization Chart and click on the button 'New'.
Name the Organization Chart. (In most cases, this will be the organization name)
You can create multiple Organization Charts for multiple purposes.
‘Save & Close’ : Saves the Organization Chart and closes the window; the new Chart is added to the overview
‘Cancel’ : Cancels the creation of the Organization Chart and closes the window
Next, you need to add Departments.
Click on the Organization Chart in the overview screen to open the visual overview of the chart.
Icons above the line, under the name of the Department name :
+ : Adds a new department
pencil icon : Edits the department name (do not use the “/” in the name of the Department as this will cause an error in the export and import of the structure)
x : Removes the department
When you edit an Organization Chart for a parent connection, you can specify if an Organization Chart is applicable for all children or for specific children.
When an Organization Chart is applicable for specific children, that Organization Chart and its Roles are now only visible for the specific child connections.
Organization Roles are linked to Departments. Add the Organization Roles to the Department in the Organization Structure by clicking on the icon “Add a new Organization Role”.
Name : Name for the new Organization Role.
Description : Short description of the Organization Role.
Profile ID : Select a Profile Id if this is applicable.
Approval Template : Select an Approval Template if this is applicable.
Company required in Authorization Requests : Tick the checkbox if this is applicable.
Number of approvers authorization request : Choose “According to General Setup (Default)”. Choose a number if you want to deviate from the General Setup.
‘Save & Close’ : Saves the new Organization Role and opens the Organization Role card to be finished.
‘Cancel’ : Cancels adding the new Organization Role and returns to the visual overview of the Organization chart.
Blocked for assignment : Tick the checkbox if you want to block this Organization Role from being assigned.
‘Save’ : Saves the request as is.
‘Close’ : Saves the request as is and closes the view.
‘Approval requests’ : Shows an overview of all approval requests on this Organization Role.
'Change Log Entries' : Shows an overview of all changes to this Organization Role.
‘Process’ : Processes the request (only visible if no approval is required for this request).
‘Send Approval Request’ (button will be visible instead of “Process” in case approval is required) : Changes the status of the request from “Changed” to “to be approved”.
‘New’ : Add Permission Sets to the role (at least 1 set is required).
‘New’ : Add an Authorization Template for this role.
‘Change order’ : Change the order the templates should be processed.
‘Edit’ : Assign to which Approval Group this Organization Role has to be assigned (if applicable).
‘Change order’ : Change the order of the Approval Groups when a request has to be approved.
Go to Authorization Framework => Organization Chart where you find an overview of all created Organization Charts.
Click on the 'Export/Import' button of the Organization Chart you want to export and choose for “Export Structure”.
A message appears that an email will be send with the option to download the Structure.
The created Excel file consists of the following sheets:
If you have our module User Templates, the next sheets will also be available :
After you have made the required changes on these sheets, you can Import them by choosing what you want to import.
Options without our module User Templates :
Options with our module User Templates :
Select the correct(ed) file (using Browse) and click on 'Import'.
Depending on the Approval Settings, the system will process the new authorizations or create new Authorization Requests for the changes made.
Go to Authorization Framework => Company Groups and click on the button ‘New’.
After saving the Company Group you have to select the companies that have to become part of that group.
Click under the fasttab “Companies” on ‘New’.
Click on the Companies you want to be part of that Group (you can select more at once)
‘Save & Close’ : Saves the adding of the chosen companies and returns to the Company Group card.
‘Cancel’ : Cancels the adding of the chosen companies and returns to the Company Group card.
The selected Companies are now part of that Group and will be visible when you have selected that Company Group.
To remove a company from the Company Group, click on the X mark icon.
Depending on your Approval Settings, click on 'Process' or ‘Send Authorization Request’ to finalize the grouping of the Companies.
The status of the Company Group will change from “New” to “Processed”.
Changes to a Company Group can be viewed when you click on the Modifications icon of that Company Group
All changes regarding to Company Groups can also be found in the Change Log Entries
(Authorization Framework=>Change Log Entries)
The Permission Set Recorder is being replaced by our Compliance Advanced Permissions Recorder app.
As of the 2024.10 release of the Compliance Essentials app, the recorder functionality is no longer available.
For older versions of the Compliance Essentials app, the functionality will remain available until 2024/12/31.
We advice you to switch to the Compliance Advanced Permissions Recorder app as soon as possible.
You can download the Compliance Advanced Permissions Recorder app from AppSource or from our Partner portal.
For more information on how to use the Compliance Advanced Permissions Recorder, please see this page of our wiki.
The Permission sets are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks how old the cache for the current connection is.
If it is older then a day, the cache will automatically be refreshed for that connection.
When you add a permission set or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually.
You can manually refresh the permission sets cache from the permission sets page by clicking on the Refresh button in the top right corner of the permission sets page. There, you can also find the date and time of when the cache was renewed.
The recording of permission sets makes it possible within Authorization Box to add new permissions within your Business Central environment.
There are a number of things that are important to set up or have at your disposal:
To start a recording follow the steps below:
1. In Business Central, search for “Session” and open “Record Session”.
2. Select a session ID to record
3. click on ‘Start’
Now switch to the Authorization Box and go to Authorization Framework => Permission Management => Record Permission Set
Select the user whose actions you want to record in Business Central.
If you find an incorrect user or no user at all, this may have the following reasons:
When you have chosen the user, click on 'Next'
The screen of the Record Session shows the date and time of the recording you started in Business Central.
In the field “Permission Set to record”, enter the Name and Description (max. 30 characters) of the Permission Set. In addition, you can choose which rights to include: Read, Insert, Modify, Delete and/or Execute.
Usually Insert, Modify and Delete are chosen in recording Permission Sets.
To refine Permission Sets, you can choose the set from the dropdown menu (in “Permission set to refine results”) to ensure that pages and reports from a Permission Set are filtered and only the usable tabledata remains. You can select a “universal” Permission Set which is assigned to all users (for example a LOGIN, BASIC or ALL set) to automatically clean the recorded Permission Set, so no rights will be assigned to the new set which are already assigned in the “universal” set.
Choose the correct Object Type. Default only “TableData” is chosen.
Modify Existing Permission Set : This option is not used often. When this box is checked, you can check if a permission set is included incorrectly or incompletely. You can choose to completely overwrite an existing set or add new tabledata to it.
The following buttons are shown at the bottom of the screen:
Click on 'Start'. The system will show that recording has started.
Have the user for which this Permission Set is being recorded, perform the actions in Business Central that have to be made possible with that specific Permission Set. The system should automatically assign the correct objects to the new Permission Set because of these actions.
When all actions have been made, stop the recording in the Authorization Box and in Business Central.
The new Permission Set should have been added into the system, with the corresponding objects to the performed actions already assigned to it.
To view the Permission Sets in the Authorization Box go to Authorization Framework => Permission Management => Permission Sets.
All the Permission Sets from the linked Business Central database will be listed.
The columns in this overview show the Type, Extension Name, No. Of linked Users and No. Of linked Organization Roles.
By clicking on a Permission Set you will see the details of that Permission Set.
Fasttabs :
You can also add Permission Sets in the Authorization Box.
Go to Authorization Framework => Permission Management=>Permission Sets and click on 'New'.
Fill in the short name for the Permission Set and a name for this Permission Set.
Click on 'Save & Close'.
In the next screen you can add Objects for this set under the fasttab Objects.
'Save' : Saves changes made in the name of the Permission set without closing the window.
‘Save & Close’ : Saves the changes made and closes the window.
‘Cancel’ : Cancels the changes made and returns to the Permission sets overview.
'New' : add a new Object to the Permission Set.
Available Type to assign to a Permission Set :
TableData : The actual data stored within tables in the database.
Page : Used to display and organize data visually.
Report : Used to structure and summarize data from the database, and to print or display this information in a formatted way.
Table : Used for storing an managing data.
Codeunit : A container for AL code that encapsulates business logic.
XMLPort : Used to import and export data between Business Central and external sources.
MenuSuite : Used in earlier versions (like Dynamics NAV) to define the main menu content displayed in the Navigation Pane. This object is no longer supported in the latest versions of Business Central.
Query : Used to retrieve and manipulate data from one or more tables in the database.
System : This layer includes essential functionalities and services that support the core application, such as authentication, permissions, and data synchronization.
All types have the option to choose an “Id” and to “Execute”.
The type "TableData" however, has more options, which are described below.
After having chosen an “Id”, assign the rights by choosing nothing, Yes or Indirect in the lines for the “Read”, “Insert”, “Modify” and “Delete” permissions.
("Indirect" means, that a user has to have two permissions to i.e. write to a table: the indirect permission to write to the table and additionally the right to execute an object which has the permission to write directly to that table)
‘Save & Close’ : Saves the adding of the object and closes the window.
‘Save & New’ : Saves the adding of the object and returns to the start screen to add a new object.
‘Cancel’ : Cancels the adding of the object and returns to the Edit Permission set window.
As it is a User Defined permission set, you can edit it afterwards with the pencil icon (visible in the Permission sets overview).
[In the near future you will also need approval for the adding and changing of User Defined permission sets.]
With Permission Set Groups you can assign different Permission sets as a group to Organization Roles.
To add a Permission Set Group go to Authorization Framework => Permission Management => Permission Set Groups and click on the button 'New'.
Name : Enter the name for the Permission set Group.
‘Save & Close’ : Saves the new Permission Set Group and opens the Permission Set Group card.
‘Cancel’ : Cancels adding the new Permission Set Group and returns to the overview.
On the Permission Set Group card, you select the Permission Sets which you want to collect in this Group.
Click on the button 'New' and select the required Permission Sets.
You can select multiple sets by clicking on the different names. A check mark will appear behind the chosen sets.
‘Save & Close’ : Saves the selected Permission sets to the group and closes the window.
‘Cancel’ : Cancels adding the selected Permission sets to the group and closes the window.
As soon as you have added or removed Permission sets to the group and you 'Save & Close' , the header will show the status “Changed”.
If you want to finish editing the group, you have to click 'Process' to finalize the change(s) made.
‘Close’ : Closes the card and doesn't change the status of the card at that point.
‘Process’ : Processes the change(s) made and changes the status of the card from “Changed" into “Processed”.
‘Approval requests’ : Shows the overview of changes made to that group.
Shows which Users have been assigned this Permission Set Group
Shows which Organization roles have been assigned this Permission Set Group
You have to create an Authorization Request to assign or revoke an Organization role to a user.
The Users are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks whether the cache for the current connection is older than a day.
If so, the cache will automatically be refreshed for that connection.
When you add a user or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually. You can manually refresh the Users cache from the Users page by clicking on the Refresh button in the top right corner of the Users page.
In the top right corner, you can also find the date and time of when the cache was renewed.
View and manage users in the Users tab within User Management.
Default only the Active users will be visible. To change this, choose an other option in the top left corner with “Filter on … users”. The (default) list contains all current users from the Business Central and Authorization Box environment.
Sample of an overview :
When an active user does not have a checkmark in “exists only in Dynamics” you will be able to edit this user by clicking on the pencil icon.
Here you can change the setting “Overwrite Current Permissions”.
When this is activated (checked) the user will only have permissions based on assigned Organization Roles in the Authorization Box.
‘Save & Close’ : Saves changes made and returns to the User overview
‘Cancel’ : Cancels changes made and returns to the User overview
Should the changes not have been synced with Business Central, you can manually sync this by opening this User and click on ‘Synchronize’ and the option “All”.
You can add a request for changes of a user which is not activated for the Authorization Box, by clicking on the 'Plus (+) sign'.
For an active user, you can use the button ‘New authorization request’ on the User page.
Or you can go to User Management=> Authorization Requests and choose the active User to make an Authorization Request for that User.
Click on a user in the overview (Users) which is activated in the Authorization box (colored blue and has a link) to open the User Card of that particular user.
New Authorization request button : Opens a new authorization request for this user
Synchronize button : Synchronizes actions which still have “To be processed”. Optionally if you want to fully synchronize this user choose “All”.
User Name : Is populated automatically when the user was made
Name : Is populated automatically when the user was made
Checkbox “Overwrite Current Permissions” : When this box is checked, all permissions for this user which have been assigned directly in Business Central will be removed if they are not part of one of the organization roles assigned to this user
Checkbox “Doesn’t exist in Dynamics”: Box is checked when the user is not available in Business Central (=removed/deleted)
Checkbox “Exists only in Dynamics”: Box is checked when the user is not activated in the Authorization Box
Checkbox “Activated in Dynamics”: Box is checked when the user has the status Enabled in Business Central
Overview of the organization roles assigned to this user.
Overview of the permission sets assigned to this user through the organization roles assigned.
The permission sets assigned directly through Business Central (and not with an Organization role) will be shown in red and have a checkmark in the column “Directly assigned”.
Overview of the available personal user data.
There are several sections you can expand :
Overview of all the actions on this user that have been processed when executing the Templates which are part of organization roles assigned to this user, or if there have been some pre- or post template actions executed for that user.
When clicking on the magnifying glass in that line, it will show the query for that template, showing e.g. the approver and the amounts applicable to that approval template.
Also, when a synchronization task has resulted into an error because of a query, you can find in this fasttab why that query was unsuccessful.
The column “Error Text” will describe why the query was not executed.
This fasttab shows an overview of the synchronizations on this user.
Whenever a change has been made to an organization role assigned to this user, or any other changes in the Authorization Box which have impact on the user, a synchronization will be run and shown in this log.
You have to create an Authorization Request to assign or revoke an Organization Role for a user.
To create a new Authorization Request navigate to User Management => Authorization Requests .
In this screen you can create new requests or delete outstanding requests.
You can only delete requests with the status Canceled or New.
To create a new Authorization Request, click the ‘New’ button.
Click on ‘Save’ to finalize the Authorization Request.
In the header of the next screen, the following options are presented.
- Deactivate user : Check this option to deactivate an existing User in Business Central
- Profile-id : In case of a new user : choose the Profile-id for this user
- Note : You can fill in any remarks and use several text lines. This text will be visible in the Request for Approval.
Click on ‘Save’ to save the changes you made so far.
If this is all you would like to do, you can click on ‘Send Approval Request’ or ‘Cancel Request for Approval’ when Approval is enabled.
If Approval is not enabled, you can click on “'Process' to have this Request processed.
Should you also want to assign an Organization Role (or Roles), you can do this before you click on ‘Send..’, ‘Cancel…’ or ‘Process’ the Request.
In case of a new user, it is mandatory to assign at least one (1) Organization role.
To assign an Organization Role to the User, you can click on ‘New’ under the fasttab “Organization Role”.
The following options are then presented to fill / choose :
Click on ‘Save & Close’ if you have finished adding Organization Roles to this User.
Click on ‘Save & New’ if you want to add an other Organization Role to this User.
The newly added Organization Role(s) are now visible with the state “New”. At this time it is also possible to edit this line in the Organization Role by clicking on the ‘Edit pencil’ at the end of that line (e.g. to use an other Start Date or assign an other Company etc.) . If you have finished editing, you can close again with ‘Save & Close’.
You can also remove this new Organization Role by clicking on the ‘Revoke button (x)’ at the end of that line.
If one or more Organization Roles were already assigned to a User, you can revoke them through a new Authorization Request.
In this new Authorization Request you can click on the ‘Revoke button (x)’ next to the Organization Role that you want to revoke.
After entering the End Date and clicking on ‘Save’ the State will show “To be deleted”.
As soon as the Authorization Request is complete you have to send this for Approval.
This is only required if the number of approvers is not 0 (zero) for the Organization Role(s) in the Authorization Request.
Otherwise the ‘process’ button is already available on the Authorization Request.
By processing the Authorization Request, the Permissions will be linked to the user in Business Central.
If approval is required, press the button ‘Send Approval Request’.
The state of the request will change to “Waiting to be Approved”.
To Cancel the Approval request, use the button ‘Cancel approval request’.
If required, you can now make changes in the Authorization Request or cancel the whole Authorization Request using the button ‘Cancel request’.
When a change on an Organization Role is rejected, the status will be “Rejected”.
!! The rejection of the change on the Organization role still has to be processed in that role.
To process this rejection, you will have to go to User Management => Authorization Requests and click on ‘Process’.
The processing of the Authorization Request is performed in the background. Therefore it is possible that the result is not immediately visible in the Authorization Box.
If changes have been processed, the system creates a synchronization log record.
This record shows the basis on which the synchronization took place (for example an authorization request) and for which user this was done.
You can view the processed Authorization Requests by going to User Management => Processed Authorization Requests.
Click on the name in the column Authorization Request to view the details of that request.
When approvers were required for a request, an icon will be visible in the column “Approvers”.
Clicking on it will show the details of the approved/rejected request.
With approval management you set up if and/or how many approvers would be required for authorization requests.
You can assign approver(s) and set up how many approvers would be required in general or assign a different number of approvers to organization roles.
To deviate from the default number of approvers, you can assign the number of approvers on the role it self or make use of approval groups.
Through Setup => Approval settings you can change if approval on requests are required.
You can set up a default number of approvers for :
- company groups (add/edit requests)
- permission set groups (add/edit requests)
- organization roles (add/edit requests)
- authorization requests
The number of approvers which are set in these fields are the number of approvers which will be required when the Number of approvers in an organization role is set to “According to General Setup (Default)”.
Go to Setup=>Approvers, to assign the approvers.
Click on ‘New’.
Choose the user you want to assign approval rights to.
Choose the approval type(s) you want to assign to that user.
‘Save & Close’ : Saves the assignment(s) and closes the screen
‘Cancel’ : Cancels the assignment(s).
You can setup how many approvers are required for the assignment of certain organization roles by using Approval Groups.
Go to Setup=>Approval Groups.
Click ‘New’.
Give a description for the Approval Group.
Set the number of required approvers for that group.
Click ‘Save & Edit’.
Choose which users should approve according to that group by moving them (with the arrow(s)) from the left to the right part.
‘Save’ : Saves the changes made
Choose the role(s) this group should be assigned to by moving them (with the arrow(s)) from the left to the right part.
‘Save’ : Saves the changes made
‘Save & Close’ in the header : Saves the settings in that Approval Group.
You will see a confirmation that the settings have been changed.
The Organization role(s) will also show this approval group has been assigned to that/those role(s).
Even if the Default General Settings is set to “No approvers” for any request, an authorization request for this role still needs 2 approvers.
Besides the “Default” assigned number of approvers, you can assign a different number of approvers for an organization role by using the field “Number of approvers authorization request”.
!! Make sure you process this change to activate this number of approvers.
User Management=>Authorization Requests will show an authorization request made on a user and sent for approval
When you click on “Waiting to be Approved” it will show the overview of that approval request.
It will show how many approvers are required, which approver(s) would be required and what the status is. It also shows who made that request and when.
The approvers will receive a notification that a request has to be assessed and can find this request in “Requests for approval”
In the Requests for approval, the Pending requests shows :
The number mentioned in the green oval mentions the number of approvers required for that authorization request.
For instance, when you have an authorization request in which you want to add 3 organization roles to a user, and each organization role requires 1 approver, the number in the green oval will show the number “3” even though the request would be fully approved if 1 approver approved the request.
An other example, when you have an authorization request in which you want to add 3 organization roles to a user, and 1 role requires 2 approvers, the number in the green oval will show the number “4”.
Using the 'eye icon' (column Review) the approver will open the request where an approval or rejection can be given to that request.
When a request is Rejected, a memo field will appear where you can fill in the reason of rejection or any other note you want to be visible in the Processed authorization request.
A rejected request (still visible in the Authorization Requests), needs to be Processes manually. Once processed, this rejection will appear in the Processed Authorization Requests. (User Management=>Processed Authorization Requests)
Opening the rejected request will show details of the rejected approval.
Hovering over the Information icon behind “Rejected” in the Status column, will show the note which was made during rejection.