Payment Journal Approval Workflow

How to configure a strict governance gate for Payment Journals in Business Central to ensure Chain of Custody before Demiton extraction.

Setting up Payment Journal Approvals

In the Demiton "Iron Layer" philosophy, the ERP is the source of truth for Intent, and Demiton is the infrastructure for Execution.

To guarantee that the intent is valid, you must configure a native Business Central Workflow. This ensures that no payment file can be generated via Demiton until a delegated authority has cryptographically signed off (clicked "Approve") within the ledger.

Prerequisite: You must have SUPER or Workflow Admin permissions in Business Central to configure these steps.

The Governance Logic

By default, Business Central allows any user with posting rights to post a journal. When you enable this workflow:

Lockdown: The Payment Journal is locked. Lines cannot be posted or extracted while status is Open.
Segregation: The creator cannot be the approver (optional but recommended).
Tamper Proofing: If a user modifies an amount or bank account after approval, the status resets to Open automatically, blocking the Demiton extraction.

Step 1: Configure Approval Users

Before building the logic, define who has the authority to sign off on cash outflows.

Search for Approval User Setup in BC.
Add your Finance Team members.
Configure the hierarchy:
- User ID: The person requesting approval (e.g., The AP Clerk).
- Approver ID: The person signing off (e.g., The CFO).
- Unlimited Request Approval: Check this for the CFO.
- Email: Required if you want email notifications.

Demiton Best Practice: Ensure the Approver ID is not the same person configuring the Demiton Connector. This enforces a strict Segregation of Duties (SoD) at the infrastructure level.

Step 2: Create the Workflow from Template

Do not build from scratch. Use the Microsoft standard template and harden it.

Search for Workflows.
Click + New -> New Workflow from Template.
Select General Journal Approval Workflow (under the Finance category).
- Note: There is no specific "Payment Journal" template; we modify the General Journal one.

Step 3: Harden the Workflow (The "Payment Only" Filter)

The default template applies to all journals (General, Assets, etc.). We must restrict this to Payments only to avoid blocking your accountants from doing daily reallocations.

1. Modify the "On Condition"

Click on the first line (Event: An approval request is requested...). Look at the On Condition tab in the right pane.

Add a filter to ensure this only fires for Payments:

General Journal Batch -> Template Type: Set to Payments.

2. Configure the Approver Chain

Click on the first response line (Response: Create an approval request...).

Approver Type: Select Approver.
Approver Limit Type: Select Specific Approver (for direct control) or Approver Chain (to follow the hierarchy in Step 1).

3. Enable the Workflow

Toggle the Enabled switch at the top of the card.

Step 4: Configuring Demiton Blueprints

Now that BC is enforcing approvals, you must update your Demiton Blueprint to respect this gate.

In your Outbound Payment Blueprint, update the Fetch step (OData Query) to strictly filter for approved lines.

// Example OData Filter Configuration in Demiton Studio
{
  "$filter": "JournalTemplateName eq 'PAYMENTS' and GenJournalLineApprovalStatus eq 'Approved'"
}