Authorization Box authorizes users in Business Central per database through an Organization Chart.
In the Organization Chart you create Departments and Organization Roles. Permission Sets are linked to Organization Roles.
Changes in the Organization Chart will result in Approval Requests. Users are assigned to one or multiple Organization Roles through Authorization Requests.
When you edit an Organization Chart for a parent connection, you can specify if an Organization Chart is applicable for all children or for specific children. When an Organization Chart is applicable for specific children, the Organization Chart and its Roles are now only visible for the specified child connections.
To create an Organization Structure go to Authorization Framework => Organization Chart and click on the button New.
Name the Organization Chart.
In most cases this will be the organization name. You can create multiple Organization Charts for multiple purposes.
After you assigned the name click on “Save & Close”.
The new Chart is added to the overview.
The Organization chart is now created, but is still empty.
To add Departments, click on the Organization Chart in the overview screen.
To change the Department name, click on the edit button in the middle (above the line), click on + to add a new department and click x to remove a department. (do not use the “/” in the name of the Department as this will cause an error in the ex-/import of the structure)
When you edit an Organization Chart for a parent connection, you can specify if an Organization Chart is applicable for all children or for specific children.
When an Organization Chart is applicable for specific children, that Organization Chart and its Roles are now only visible for the specified child connections.
Organization Roles are linked to Departments. Add the Organization Roles to the Department in the Organization Structure, by clicking on the icon “Add a new Organization Role”.
A new screen opens
Name : Give a name to the new Organization Role;
Description : Give a short description of the Role;
Profile ID : Select a Profile Id (if applicable);
Approval Template : Select an Approval Template (if applicable);
Company required in Authorization Requests (checkbox) : Tick if this is applicable;
Number of approvers authorization request : Choose the number of approvers that are needed to get an authorization request approved and processed if this should be different from the default. Else choose “According to General Setup (Default)”;
Save & Close (button) : Saves the new Organization Role and opens the Organization Role card to be finished
Cancel (button) : Cancels addition of the new Organization Role
Blocked for assignment (checkbox) : Tick if you want to block this Organization Role to be assigned
Fasttab Permission Sets :
Fasttab Templates :
Fasttab Approval Groups :
Edit (button) : Assign to which Approval Group this Organization Role has to be assigned (if applicable). Is only possible if the Organization Role was already assigned to an Approval Group.
Change order (button) : Change the order of the Approval Groups when a request has to be approved
Save (button) : Saves the request as is
Close (button) : Saves the request as is and closes the view
Process (button) : Processes the request. This will only be visible if no approval is required for this request.
Send Approval Request (button) : Changes the status of the request to “to be approved”
Change Log Entries (button) : Shows an overview of all changes to this Organization Role.
Approval requests (button) : Shows an overview of all approval requests on this Organization Role
You can export the Organization Structure to Excel.
Later on (after modifications) it is possible to import this in the same environment or another (new) environment.
You can do this in Authorization Framework => Organization Chart where you find an overview of all created Organization Charts.
Click on the “Export/Import” button and choose for “Export Structure”.
This will result in an Excel file with six sheets:
After you have made the required changes on these sheets, you can Import them by choosing what you want to import.
Select the correct file (using Browse) and click on “Import”.
Depending on the Approval Settings, the system will process the new authorizations or creates new Authorization Requests for the changes made.
Go to the menu Authorization Framework => Company Groups and click on the button New.
Click on “Save & Close” to Save the Company Group.
After saving the Company Group you have to select the companies that have to become part of that group.
Click under the header Companies on “New”.
Click on the Companies you want to be part of that Group (you can select more at once) and click on “Save & Close”.
The selected Companies are now part of that Group and will be visible when you have selected that Company Group.
Depending on your Approval Settings, click on “Process” or “Send Authorization Request” to finalize the grouping of the Companies.
The recording of permission sets makes it possible within Authorization Box to add new permissions within your Business Central environment.
But first there are a number of things that are important to set up or have at your disposal:
To start a recording follow the steps below:
1. In Business Central, search for “Session” and open “Record Session”.
2. Select a session ID to record
3. click on Start
Now switch to the Authorization Box and go to Authorization Framework => Permission Management => Record Permission Set
Select the user whose actions you want to record in Business Central.
If you find an incorrect user or no user at all, this may have the following reasons:
When you have chosen the user, click on Next
The screen of the Record Session shows the date and time of the recording you started in Business Central.
In the fields “Permission Set to record”, enter the Name and Description (max. 30 characters) of the Permission Set. In addition, you can choose which the rights to include: Read, Insert, Modify, Delete and Execute.
2-Controlware generally chooses Insert, Modify and Delete in recording Permission Sets.
To refine Permission Sets, you can choose the set from the dropdown menu (in “Permission set to refine results”) to ensure that pages and reports from a Permission Set are filtered and only the usable tabledata remains. You can select a “universal” Permission Set which is assigned to all users (for example a LOGIN, BASIC or ALL set) to automatically clean the recorded Permission Set so no rights will be assigned to the new set which are already assigned in the “universal” set.
Choose the correct Object Type. Default only “TableData” is chosen.
Exception: A field that is not used often is “Modify Existing Permission Set”. When this box is checked, you can check if a permission set is included incorrectly or incompletely. You can choose to completely overwrite an existing set or add new tabledata to it.
The following buttons are shown at the bottom of the screen:
Click on “Start”. The system will show that recording has started.
Have the user for which this Permission Set is being recorded, perform the actions in Business Central that have to be made possible with that specific Permission Set. The system should automatically assign the correct objects to the new Permission Set because of these actions.
When all actions have been made, you can stop the recording in the Authorization Box and in Business Central.
The new Permission Set should have been added into the system, with the corresponding objects to the performed actions already assigned to it.
The permission sets are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks whether the cache for the current connection is older than a day. If so, the cache will automatically be refreshed for that connection.
When you add a permission set or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually. You can manually refresh the permission sets cache from the permission sets page by clicking on the Refresh button in the top right corner of the permission sets page. In the top right corner, you can also find the date and time of when the cache was renewed.
You can view the Permission Sets in the Authorization Box from the menu Authorization Framework => Permission Management => Permission Sets.
All the Permission Sets from the linked Business Central database will be listed. Also there are several columns with useful information about the permission sets.
These columns shows the Type, Extension Name, No. Of linked Users and No. Of linked Organization Roles.
By clicking on a Permission Set you will see the details of that Permission Set.
You can also add Permission Sets in the Authorization Box.
Go to Authorization Framework => Permission Management=>Permission Sets and click on “New”.
Fill in the short name for the Permission Set and a name for this Permission Set.
Click on “Save & Close”.
In the next screen you can add Objects for this set by clicking on “New” under the fasttab Objects.
Add the objects you want this Permission Set to have access to.
Assign the rights by choosing nothing, Yes or indirect in the lines for the Read, Insert, Modify and Delete.
Click on “Save & New” if you want an other object to this Permission Set, or “Save & Close” if you have finished adding the required objects to that Permission Set.
To finish editing the Permission Set, choose “Save & Close”. The new Permission Set is now added.
As it is a User Defined permission set, you can edit it with the pencil icon, if necessary.
In the near future you will also need approval for the adding and changing of User Defined permission sets.
With Permission Set Groups you can assign different permission sets as a group to Organization Roles. To add a Permission Set Group go to the menu Authorization Framework => Permission Management => Permission Sets Groups and click on the button “New”.
Enter the name for the Permission Set Group en click on “Save & Close”.
Next you add the Permission Sets which you want to collect in this Group.
Click on the button “New” and select the required Permission Sets. You select more sets by clicking on the different names (a check mark will appear behind the chosen sets).
When you have finished choosing the Permission Sets you can click on “Save & Close”.
You have to create an Authorization Request to assign or revoke an organization role to a user.
The Users are being cached for performance reasons.
When you sign in to the Authorization Box or when you switch connections, the system checks whether the cache for the current connection is older than a day. If so, the cache will automatically be refreshed for that connection.
When you add a user or make changes to an existing one, either in Business Central or in the Authorization Box, and the cache is not older than a day, these changes will only be visible after you have renewed the cache manually. You can manually refresh the Users cache from the Users page by clicking on the Refresh button in the top right corner of the Users page.
In the top right corner, you can also find the date and time of when the cache was renewed.
View and manage users in the Users tab within User Management.
Default only the Active users will be visible. Changing this is possible by choosing an other option in the top left corner with “Filter on … users”. The (default) list contains all current users from the Business Central and Authorization Box environment.
Sample of an overview :
When an active user does not have a checkmark in “exists only in Dynamics” you will be able to edit this user by clicking on the pencil icon. (usually the User Name will have the color blue)
You can change the setting to “Overwrite Current Permissions”.
When this is activated the user will only have permissions based on assigned Organization Roles in the Authorization Box.
You can opt to remove the checkmark to exclude a user when “Overwrite Current Permissions” was activated for the whole database connection.
Click “Save & Close” to save the setting.
Should this not have been synced with Business Central, you can manually sync this by opening this User and click on “Synchronize” and the option “All”.
You can add a request for changes of a user which is not activated for the Authorization Box, by clicking on the Plus (+) sign.
An other option is to use the button “New authorization request” on the User page.
Click on a user in the overview (Users) which is activated in the Authorization box (colored blue and has a link) to open the User Card of that particular user.
In the header (fasttab with the name of that user) :
New Authorization request button : Opens a new authorization request for this user
Synchronize button : Synchronizes actions which still have “To be processed”. Optionally if you want to fully synchronize this user choose “All”.
User Name : Is populated automatically when the user was made
Name : Is populated automatically when the user was made
Checkbox “Overwrite Current Permissions” : When this box is checked, all permissions for this user which have been assigned directly in Business Central will be removed if they are not part of one of the organization roles assigned to this user
Checkbox “Doesn’t exist in Dynamics”: Box is checked when the user is not available in Business Central (=removed/deleted)
Checkbox “Exists only in Dynamics”: Box is checked when the user is not activated in the Authorization Box
Checkbox “Activated in Dynamics”: Box is checked when the user has the status Enabled in Business Central
Fasttab Organization Roles : overview of the organization roles assigned to this user.
Fasttab Permission Sets : overview of the permission sets assigned to this user through the organization roles assigned.
The permission sets assigned directly through Business Central (and not with an Organization role) will be shown in red and have a checkmark in the column “Directly assigned”.
Fasttab Processed Authorization Request Lines
In this overview you can find :
Fasttab User Data
Overview of the available personal user data.
There are several sections you can expand :
Fasttab Processed Actions (only available with the module User Templates)
Overview of all the actions on this user that have been processed when executing the Templates which are part of organization roles assigned to this user, or if there have been some pre- or post template actions executed for that user.
When clicking on the magnifying glass in that line, it will show the query for that template, showing e.g. the approver and the amounts applicable to that approval template.
Also, when a synchronization task has resulted into an error because of a query, you can find in this fasttab why that query was unsuccessful. The column Error Text will describe why the query was not executed.
Fasttab Synchronization Log
This fasttab shows an overview of the synchronizations of this user.
You have to create an Authorization Request to assign or revoke an Organization Role for a user.
To create a new Authorization Request navigate to User Management => Authorization Requests .
In this screen you can create new requests or delete outstanding requests. You can only delete requests with the status Canceled or New.
To create a new Authorization Request, click the “New” button.
Click on “Save” to fulfill the Authorization Request.
In the header of the next screen, the following options are presented.
- Deactivate user : check this option to deactivate an existing User in Business Central
- Profile-id : in case of a new user : choose the Profile-id for this user
- Note : you can fill in any remarks and use several text lines. This text will be visible in the Request for Approval.
Click on “Save” to save the changes you made so far.
If this is all you would like to do, you can click on “Send Approval Request” or “Cancel Request for Approval” when Approval is enabled.
If Approval is not enabled, you can click on “Process” to have this Request processed.
Should you also want to assign an Organization Role (or Roles), you can do this before you click on “Send..”, “Cancel…” or “Process” the Request.
In case of a new user, it is mandatory to assign at least one (1) Organization role.
To assign an Organization Role to the User, you can click on “New” under the fasttab Organization Role.
The following options are then presented to fill / choose :
Click on “Save & Close” if you have finished adding Organization Roles to this User.
Click on “Save & New” if you want to add an other Organization Role to this User.
The newly added Organization Role(s) are now visible with the state New. At this time it is also possible to edit this line in the Organization Role by clicking on the Edit pencil at the end of that line (e.g. to use an other Start Date or assign an other Company etc.) . If you have finished editing, you can close again with “Save & Close”.
You can also remove this new Organization Role by clicking on the Revoke button (x) at the end of that line.
If one or more Organization Roles were already assigned to a User, you can revoke them through a new Authorization Request. In this new Authorization Request you can click on the Revoke button (x) next to the Organization Role that you want to revoke.
After entering the End Date and clicking on “Save” the State will show “To be deleted”.
As soon as the Authorization Request is complete you have to send this for Approval.
This is only required if the number of approvers is not 0 (zero) for the Organization Role(s) in the Authorization Request.
Otherwise the process button is already available on the Authorization Request.
By processing the Authorization Request, the Permissions will be linked to the user in Business Central.
If approval is required, press the button “Send Approval Request”.
The state of the request will change to “Waiting to be Approved”.
To Cancel the Approval request, use the button “Cancel approval request”. If required, you can now make changes in the Authorization Request or cancel the whole Authorization Request using the button “Cancel request”.
When a change on an Organization Role is rejected, the status will be “Rejected”.
!! The rejection of the change on the Organization role still has to be processed in that role.
The processing of the Authorization Request is performed in the background. Therefore it is possible that the result is not immediately visible in the Authorization Box. If changes have been processed, the system creates a synchronization log record. This record shows the basis on which the synchronization took place (for example an authorization request) and for which user this was done.
You can view the processed Authorization Requests by going to User Management => Processed Authorization Requests.
Click on the name in the column Authorization Request to view the details of that request.
When approvers were required for a request, an icon will be visible in the column Approvers. Clicking on it will show the details of the approved/rejected request.
With approval management you set up if and/or how many approvers would be required for authorization requests.
You would have to assign approver(s) and set up how many approvers would be required in general or assign a different number of approvers to an organization role.
To deviate from the default number of approvers, you can assign the number of approvers on the role it self or make use of approval groups.
Through Setup => Approval settings you can change if approval on requests are required.
You can set up a default number of approvers for :
- company groups (add/edit requests)
- permission set groups (add/edit requests)
- organization roles (add/edit requests)
- authorization requests
The number of approvers which are set in these fields are the number of approvers which will be required when the Number of approvers in an organization role is set to “According to General Setup (Default)”.
When you go to Setup=>Approvers, you can assign the approvers.
Click on “New”
Choose the user you want to assign approval rights to.
Choose the approval type(s) you want to assign to that user.
Click on “Save & Close” to save the assignment(s) and close the screen, or “Cancel” to cancel the assignment(s).
You can setup how many approvers are required for the assignment of certain organization roles by using Approval Groups.
Go to Setup=>Approval Groups
Click “New”
Give a description to the Approval Group
Set the number of required approvers for that group
Click “Save & Edit”
Under the fasttab Users, choose which users should approve according to that group by moving them (with the arrow(s)) from the left to the right part.
Click “Save” in that fasttab
Under the fasttab Organization Roles, choose the role(s) this group should be assigned to by moving them (with the arrow(s)) from the left to the right part.
Click “Save” in that fasttab
Click “Save & Close” in the header to save the settings in that Approval Group.
You will see a confirmation that the settings have been changed.
The Organization role(s) will also show this approval group has been assigned to that/those role(s).
Even if the default general settings is set to No approvers for any request, an authorization request for this role still needs 2 approvers.
Besides the “Default” assigned number of approvers, you can assign a different number of approvers for an organization role by using the field “Number of approvers authorization request”.
!! Make sure you process this change to activate this number of approvers.
User Management=>Authorization Requests will show an authorization request made on a user and sent for approval
When you click on “Waiting to be Approved” it will show the overview of that approval request.
It will show how many approvers are required, which approver(s) would be required and what the status is. It also shows who made that request and when.
The approvers will receive a notification that a request has to be assessed and can find this request in “Requests for approval”
In the Requests for approval, the Pending requests will show
The number mentioned in the green oval mentions the number approvers required for that authorization request.
For instance, when you have an authorization request in which you want to add 3 organization roles to a user, and each organization role requires 1 approver, the number in the green oval will show the number “3” even though the request would be fully approved if 1 approver approved the request.
An other example, when you have an authorization request in which you want to add 3 organization roles to a user, and 1 role requires 2 approvers, the number in the green oval will show the number “4”.
Using the eye icon (under Review) the approver will open the request where an approval or rejection can be given to that request.
When a request is Rejected, a memo field will appear where you can fill in the reason of rejection or any other note you want to be visible in the Processed authorization request.
A rejected request (still visible in the Authorization Requests), needs to be Process manually. Once processed, this rejection will appear in the Processed Authorization Requests. (User Management=>Processed Authorization Requests)
Opening the rejected request will show details of the rejected approval.
Hovering over the Information icon behind “Rejected” in the Status column, will show the note which was made during rejection.