Authorization Box authorizes users in Business Central per database through an Organization Chart.
In the Organization Chart you create Departments and Organization Roles.
Organization Roles have Permission Sets assigned.
Users are assigned to one or multiple Organization Roles through Authorization Requests.
Changes in the Organization Chart will result in Approval Requests.
Go to Authorization Framework => Organization Chart and click on the button “New”.
Name the Organization Chart. (In most cases this will be the organization name)
You can create multiple Organization Charts for multiple purposes.
Save & Close : Saves the Organization Chart and closes the window, the new Chart is added to the overview
Cancel : Cancels the creation of the Organization Chart and closes the window
Next you need to add Departments.
Click on the Organization Chart in the overview screen to open the visual overview of the chart.
Icons above the line, under the name of the Department name :
+ : adds a new department
pencil icon : to edit the department name (do not use the “/” in the name of the Department as this will cause an error in the ex-/import of the structure)
x : removes the department
When you edit an Organization Chart for a parent connection, you can specify if an Organization Chart is applicable for all children or for specific children.
When an Organization Chart is applicable for specific children, that Organization Chart and its Roles are now only visible for the specific child connections.
Organization Roles are linked to Departments. Add the Organization Roles to the Department in the Organization Structure, by clicking on the icon “Add a new Organization Role”.
A new screen opens
Name : Name for the new Organization Role;
Description : Short description of the Organization Role;
Profile ID : Select a Profile Id if this is applicable;
Approval Template : Select an Approval Template if this is applicable;
Company required in Authorization Requests : Tick the checkbox if this is applicable;
Number of approvers authorization request : Choose “According to General Setup (Default)”. Choose a number if you want to deviate from the General Setup;
Save & Close : Saves the new Organization Role and opens the Organization Role card to be finished;
Cancel : Cancels adding of the new Organization Role and returns to the visual overview of the Organization chart.
Blocked for assignment : Tick the checkbox if you want to block this Organization Role to be assigned;
Save : Saves the request as is;
Close : Saves the request as is and closes the view;
Approval requests : Shows an overview of all approval requests on this Organization Role;
Change Log Entries : Shows an overview of all changes to this Organization Role.
Process : Processes the request. (only visible if no approval is required for this request);
Send Approval Request (button will be visible instead of “Process” in case approval is required) : Changes the status of the request from “Changed” to “to be approved”.
Fasttab Permission Sets :
New : Add Permission Sets to the role (at least 1 set is required)
Fasttab Templates :
New : Add an Authorization Template for this role
Change order : Change the order the templates should be processed
Fasttab Approval Groups :
Edit : Assign to which Approval Group this Organization Role has to be assigned (if applicable);
Change order : Change the order of the Approval Groups when a request has to be approved.
You can export the Organization Structure to Excel.
Later on (after modifications) it is possible to import this in the same environment or another (new) environment.
You can do this in Authorization Framework => Organization Chart where you find an overview of all created Organization Charts.
Click on the “Export/Import” button of the Organization Chart you want to export and click on “Export Structure”.
A message appears that an email will be send with the option to download the Structure.
The created Excel file consists of the following sheets:
If you have our module User Templates, the next sheets will also be available :
After you have made the required changes on these sheets, you can Import them by choosing what you want to import.
Options without our module User Templates :
Options with our module User Templates :
Select the correct(ed) file (using Browse) and click on “Import”.
Depending on the Approval Settings, the system will process the new authorizations or creates new Authorization Requests for the changes made.
Go to the menu Authorization Framework => Company Groups and click on the button New.
After saving the Company Group you have to select the companies that have to become part of that group.
Click under the fasttab Companies on “New”.
Click on the Companies you want to be part of that Group (you can select more at once)
Save & Close : Saves the adding of the chosen companies and returns to the Company Group card
Cancel : Cancels the adding of the chosen companies and returns to the Company Group card
The selected Companies are now part of that Group and will be visible when you have selected that Company Group.
To remove a company from the Company Group, click on the cross icon.
Depending on your Approval Settings, click on “Process” or “Send Authorization Request” to finalize the grouping of the Companies.
The status of the Company Group will change from “New” to “Processed”.
Changes to a Company Group can be viewed when you click on the Modifications icon of that Company Group
All changes regarding to Company Groups can also be found in the Change Log Entries
(Authorization Framework=>Change Log Entries)
The recording of permission sets makes it possible within Authorization Box to add new permissions within your Business Central environment.
But first there are a number of things that are important to set up or have at your disposal:
To start a recording follow the steps below:
1. In Business Central, search for “Session” and open “Record Session”.
2. Select a session ID to record
3. click on Start
Now switch to the Authorization Box and go to Authorization Framework => Permission Management => Record Permission Set
Select the user whose actions you want to record in Business Central.
If you find an incorrect user or no user at all, this may have the following reasons:
When you have chosen the user, click on Next
The screen of the Record Session shows the date and time of the recording you started in Business Central.
In the fields “Permission Set to record”, enter the Name and Description (max. 30 characters) of the Permission Set. In addition, you can choose which the rights to include: Read, Insert, Modify, Delete and Execute.
2-Controlware generally chooses Insert, Modify and Delete in recording Permission Sets.
To refine Permission Sets, you can choose the set from the dropdown menu (in “Permission set to refine results”) to ensure that pages and reports from a Permission Set are filtered and only the usable tabledata remains. You can select a “universal” Permission Set which is assigned to all users (for example a LOGIN, BASIC or ALL set) to automatically clean the recorded Permission Set so no rights will be assigned to the new set which are already assigned in the “universal” set.
Choose the correct Object Type. Default only “TableData” is chosen.
Exception: A field that is not used often is “Modify Existing Permission Set”. When this box is checked, you can check if a permission set is included incorrectly or incompletely. You can choose to completely overwrite an existing set or add new tabledata to it.
The following buttons are shown at the bottom of the screen:
Click on “Start”. The system will show that recording has started.
Have the user for which this Permission Set is being recorded, perform the actions in Business Central that have to be made possible with that specific Permission Set. The system should automatically assign the correct objects to the new Permission Set because of these actions.
When all actions have been made, you can stop the recording in the Authorization Box and in Business Central.
The new Permission Set should have been added into the system, with the corresponding objects to the performed actions already assigned to it.
The Permission sets are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks whether the cache for the current connection is older than a day. If so, the cache will automatically be refreshed for that connection.
When you add a permission set or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually. You can manually refresh the permission sets cache from the permission sets page by clicking on the Refresh button in the top right corner of the permission sets page. In the top right corner, you can also find the date and time of when the cache was renewed.
To view the Permission Sets in the Authorization Box go to Authorization Framework => Permission Management => Permission Sets.
All the Permission Sets from the linked Business Central database will be listed.
The columns in this overview show the Type, Extension Name, No. Of linked Users and No. Of linked Organization Roles.
By clicking on a Permission Set you will see the details of that Permission Set.
Fasttabs :
You can also add Permission Sets in the Authorization Box.
Go to Authorization Framework => Permission Management=>Permission Sets and click on “New”.
Fill in the short name for the Permission Set and a name for this Permission Set.
Click on “Save & Close”.
In the next screen you can add Objects for this set by clicking on “New” under the fasttab Objects.
Save : Saves changes made in the name of the Permission set without closing the window
Save & Close : Saves the changes made and closes the window
Cancel : Cancels the changes made and returns to the Permission sets overview
Add the objects you want to assign to this Permission Set.
Available Type :
TableData : The actual data stored within tables in the database
Page : Used to display and organize data visually
Report : Used to structure and summarize data from the database, and to print or display this information in a formatted way
Table : Used for storing an managing data
Codeunit : A container for AL code that encapsulates business logic
XMLPort : Used to import and export data between Business Central and external sources
MenuSuite : Used in earlier versions (like Dynamics NAV) to define the main menu content displayed in the Navigation Pane. This object is no longer supported in the latest versions of Business Central
Query : Used to retrieve and manipulate data from one or more tables in the database
System : This layer includes essential functionalities and services that support the core application, such as authentication, permissions, and data synchronization
All types have the option to choose an Id and to Execute.
The type TableData however, has more options, which are described below.
After having chosen an Id, assign the rights by choosing nothing, Yes or Indirect in the lines for the Read, Insert, Modify and Delete permissions.
(Indirect means, that a user has to have two permissions to i.e. write to a table: the indirect permission to write to the table and additionally the right to execute an object which has the permission to write directly to that table)
Save & Close : Saves the adding of the object and closes the window
Save & New : Saves the adding of the object and returns to the start screen to add a new object
Cancel : Cancels the adding of the object and returns to the Edit Permission set window
As it is a User Defined permission set, you can edit it afterwards with the pencil icon (visible in the Permission sets overview).
In the near future you will also need approval for the adding and changing of User Defined permission sets.
With Permission Set Groups you can assign different Permission sets as a group to Organization Roles.
To add a Permission Set Group go to the menu Authorization Framework => Permission Management => Permission Set Groups and click on the button “New”.
Name : Enter the name for the Permission set Group
Save & Close : Saves the new Permission Set Group and opens the Permission Set Group card
Cancel : Cancels adding the new Permission Set Group and returns to the overview
On the Permission Set Group card, you select the Permission Sets which you want to collect in this Group.
Fasttab Permission Set : Click on the button “New” and select the required Permission Sets. You can select multiple sets by clicking on the different names. A check mark will appear behind the chosen sets.
Save & Close : Saves the selected Permission sets to the group and closes the window
Cancel : Cancels adding the selected Permission sets to the group and closes the window
As soon as you have added or removed Permission sets to the group and you “Save & Close” the change, the header will show the status “Changed”.
If you want to finish editing the group, you have to click “Process” to finalize the change(s) made.
Close : Closes the card and doesn't change the status of the card at that point
Process : Processes the change(s) made and changes the status of the card from “Changed" into “Processed”.
Approval requests : Shows the overview of changes made to that group.
Fasttab Users :
Shows which Users have been assigned this Permission Set Group
Fasttab Organization Roles :
Shows which Organization roles have been assigned this Permission Set Group
You have to create an Authorization Request to assign or revoke an Organization role to a user.
The Users are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks whether the cache for the current connection is older than a day.
If so, the cache will automatically be refreshed for that connection.
When you add a user or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually. You can manually refresh the Users cache from the Users page by clicking on the Refresh button in the top right corner of the Users page.
In the top right corner, you can also find the date and time of when the cache was renewed.
View and manage users in the Users tab within User Management.
Default only the Active users will be visible. To change this, choose an other option in the top left corner with “Filter on … users”. The (default) list contains all current users from the Business Central and Authorization Box environment.
Sample of an overview :
When an active user does not have a checkmark in “exists only in Dynamics” you will be able to edit this user by clicking on the pencil icon.
Here you can change the setting “Overwrite Current Permissions”.
When this is activated (checked) the user will only have permissions based on assigned Organization Roles in the Authorization Box.
Save & Close : Saves changes made and returns to the User overview
Cancel : Cancels changes made and returns to the User overview
Should the changes not have been synced with Business Central, you can manually sync this by opening this User and click on “Synchronize” and the option “All”.
You can add a request for changes of a user which is not activated for the Authorization Box, by clicking on the Plus (+) sign.
For an active user, you can use the button “New authorization request” on the User page.
Or you can go to User Management=> Authorization Requests and choose the active User to make an Authorization Request for that User.
Click on a user in the overview (Users) which is activated in the Authorization box (colored blue and has a link) to open the User Card of that particular user.
In the header (fasttab with the name of that user) :
New Authorization request button : Opens a new authorization request for this user
Synchronize button : Synchronizes actions which still have “To be processed”. Optionally if you want to fully synchronize this user choose “All”.
User Name : Is populated automatically when the user was made
Name : Is populated automatically when the user was made
Checkbox “Overwrite Current Permissions” : When this box is checked, all permissions for this user which have been assigned directly in Business Central will be removed if they are not part of one of the organization roles assigned to this user
Checkbox “Doesn’t exist in Dynamics”: Box is checked when the user is not available in Business Central (=removed/deleted)
Checkbox “Exists only in Dynamics”: Box is checked when the user is not activated in the Authorization Box
Checkbox “Activated in Dynamics”: Box is checked when the user has the status Enabled in Business Central
Fasttab Organization Roles : overview of the organization roles assigned to this user.
Fasttab Permission Sets : overview of the permission sets assigned to this user through the organization roles assigned.
The permission sets assigned directly through Business Central (and not with an Organization role) will be shown in red and have a checkmark in the column “Directly assigned”.
Fasttab Processed Authorization Request Lines
In this overview you can find :
Fasttab User Data
Overview of the available personal user data.
There are several sections you can expand :
Fasttab Processed Actions (only available with the module User Templates)
Overview of all the actions on this user that have been processed when executing the Templates which are part of organization roles assigned to this user, or if there have been some pre- or post template actions executed for that user.
When clicking on the magnifying glass in that line, it will show the query for that template, showing e.g. the approver and the amounts applicable to that approval template.
Also, when a synchronization task has resulted into an error because of a query, you can find in this fasttab why that query was unsuccessful. The column Error Text will describe why the query was not executed.
Fasttab Synchronization Log
This fasttab shows an overview of the synchronizations of this user.
You have to create an Authorization Request to assign or revoke an Organization Role for a user.
To create a new Authorization Request navigate to User Management => Authorization Requests .
In this screen you can create new requests or delete outstanding requests. You can only delete requests with the status Canceled or New.
To create a new Authorization Request, click the “New” button.
Click on “Save” to fulfill the Authorization Request.
In the header of the next screen, the following options are presented.
- Deactivate user : check this option to deactivate an existing User in Business Central
- Profile-id : in case of a new user : choose the Profile-id for this user
- Note : you can fill in any remarks and use several text lines. This text will be visible in the Request for Approval.
Click on “Save” to save the changes you made so far.
If this is all you would like to do, you can click on “Send Approval Request” or “Cancel Request for Approval” when Approval is enabled.
If Approval is not enabled, you can click on “Process” to have this Request processed.
Should you also want to assign an Organization Role (or Roles), you can do this before you click on “Send..”, “Cancel…” or “Process” the Request.
In case of a new user, it is mandatory to assign at least one (1) Organization role.
To assign an Organization Role to the User, you can click on “New” under the fasttab Organization Role.
The following options are then presented to fill / choose :
Click on “Save & Close” if you have finished adding Organization Roles to this User.
Click on “Save & New” if you want to add an other Organization Role to this User.
The newly added Organization Role(s) are now visible with the state New. At this time it is also possible to edit this line in the Organization Role by clicking on the Edit pencil at the end of that line (e.g. to use an other Start Date or assign an other Company etc.) . If you have finished editing, you can close again with “Save & Close”.
You can also remove this new Organization Role by clicking on the Revoke button (x) at the end of that line.
If one or more Organization Roles were already assigned to a User, you can revoke them through a new Authorization Request. In this new Authorization Request you can click on the Revoke button (x) next to the Organization Role that you want to revoke.
After entering the End Date and clicking on “Save” the State will show “To be deleted”.
As soon as the Authorization Request is complete you have to send this for Approval.
This is only required if the number of approvers is not 0 (zero) for the Organization Role(s) in the Authorization Request.
Otherwise the process button is already available on the Authorization Request.
By processing the Authorization Request, the Permissions will be linked to the user in Business Central.
If approval is required, press the button “Send Approval Request”.
The state of the request will change to “Waiting to be Approved”.
To Cancel the Approval request, use the button “Cancel approval request”. If required, you can now make changes in the Authorization Request or cancel the whole Authorization Request using the button “Cancel request”.
When a change on an Organization Role is rejected, the status will be “Rejected”.
!! The rejection of the change on the Organization role still has to be processed in that role.
The processing of the Authorization Request is performed in the background. Therefore it is possible that the result is not immediately visible in the Authorization Box. If changes have been processed, the system creates a synchronization log record. This record shows the basis on which the synchronization took place (for example an authorization request) and for which user this was done.
You can view the processed Authorization Requests by going to User Management => Processed Authorization Requests.
Click on the name in the column Authorization Request to view the details of that request.
When approvers were required for a request, an icon will be visible in the column Approvers. Clicking on it will show the details of the approved/rejected request.
With approval management you set up if and/or how many approvers would be required for authorization requests.
You would have to assign approver(s) and set up how many approvers would be required in general or assign a different number of approvers to an organization role.
To deviate from the default number of approvers, you can assign the number of approvers on the role it self or make use of approval groups.
Through Setup => Approval settings you can change if approval on requests are required.
You can set up a default number of approvers for :
- company groups (add/edit requests)
- permission set groups (add/edit requests)
- organization roles (add/edit requests)
- authorization requests
The number of approvers which are set in these fields are the number of approvers which will be required when the Number of approvers in an organization role is set to “According to General Setup (Default)”.
When you go to Setup=>Approvers, you can assign the approvers.
Click on “New”
Choose the user you want to assign approval rights to.
Choose the approval type(s) you want to assign to that user.
Click on “Save & Close” to save the assignment(s) and close the screen, or “Cancel” to cancel the assignment(s).
You can setup how many approvers are required for the assignment of certain organization roles by using Approval Groups.
Go to Setup=>Approval Groups
Click “New”
Give a description to the Approval Group
Set the number of required approvers for that group
Click “Save & Edit”
Under the fasttab Users, choose which users should approve according to that group by moving them (with the arrow(s)) from the left to the right part.
Click “Save” in that fasttab
Under the fasttab Organization Roles, choose the role(s) this group should be assigned to by moving them (with the arrow(s)) from the left to the right part.
Click “Save” in that fasttab
Click “Save & Close” in the header to save the settings in that Approval Group.
You will see a confirmation that the settings have been changed.
The Organization role(s) will also show this approval group has been assigned to that/those role(s).
Even if the default general settings is set to No approvers for any request, an authorization request for this role still needs 2 approvers.
Besides the “Default” assigned number of approvers, you can assign a different number of approvers for an organization role by using the field “Number of approvers authorization request”.
!! Make sure you process this change to activate this number of approvers.
User Management=>Authorization Requests will show an authorization request made on a user and sent for approval
When you click on “Waiting to be Approved” it will show the overview of that approval request.
It will show how many approvers are required, which approver(s) would be required and what the status is. It also shows who made that request and when.
The approvers will receive a notification that a request has to be assessed and can find this request in “Requests for approval”
In the Requests for approval, the Pending requests will show
The number mentioned in the green oval mentions the number approvers required for that authorization request.
For instance, when you have an authorization request in which you want to add 3 organization roles to a user, and each organization role requires 1 approver, the number in the green oval will show the number “3” even though the request would be fully approved if 1 approver approved the request.
An other example, when you have an authorization request in which you want to add 3 organization roles to a user, and 1 role requires 2 approvers, the number in the green oval will show the number “4”.
Using the eye icon (under Review) the approver will open the request where an approval or rejection can be given to that request.
When a request is Rejected, a memo field will appear where you can fill in the reason of rejection or any other note you want to be visible in the Processed authorization request.
A rejected request (still visible in the Authorization Requests), needs to be Process manually. Once processed, this rejection will appear in the Processed Authorization Requests. (User Management=>Processed Authorization Requests)
Opening the rejected request will show details of the rejected approval.
Hovering over the Information icon behind “Rejected” in the Status column, will show the note which was made during rejection.