Academy

Read vs. Write Access

Teams often jump from "can AI answer questions?" to "can AI update the ERP?" too quickly. In Acumatica, the right rollout usually separates read-only workflows from workflows that create records, attach files, invoke actions, or update business state.

Teams often jump from “can AI answer questions?” to “can AI update the ERP?” too quickly. In Acumatica, the better rollout usually separates read-only workflows from workflows that create records, attach files, invoke actions, or update business state.

This distinction is practical. It helps the business owner choose the first useful workflow, and it helps the admin decide which scopes, allowlists, limits, and audit checks are required.

Business Problem

Read-only workflows can be valuable without opening write access. An executive exception brief, shipment blocker summary, inventory availability answer, CRM duplicate check, or document reconciliation review can all start by reading approved Acumatica data and returning cited records.

Write-enabled workflows need a higher bar. The team has to decide which entity or action should be exposed, which user role should run it, where the approval point belongs, what rate and concurrency limits apply, and how the audit log will be reviewed.

Read-Only Workflow Pattern

  1. Start with a read-only question, such as which shipments are blocked or which customers need attention.
  2. Let the agent use approved Contract REST reads, Entity OData v4 reads, or Generic Inquiry OData reads.
  3. Require record citations, query names, or source view references in the answer.
  4. Ask a follow-up question to test whether the agent can reason across the same approved sources.
  5. Try an unrelated write, delete, attachment, action, or mass-send request and verify that it is denied.

Read-only workflows are a strong first step because they test OAuth, Acumatica permissions, metadata validation, query limits, and audit logging without changing business state.

Write-Enabled Workflow Pattern

Write-enabled workflows should start with one narrow business step. Examples include creating a reviewed sales order, attaching a source PO to a sales order, creating an approved CRM lead, adding a reviewed task, or invoking one shipment action after the user approves it.

Before enabling the operation, the team should know the entity, action, approval point, user role, sandbox or live tenant posture, allowed volume, and denied operations to test.

Example allowlists:

ACUMATICA_ALLOWED_WRITE_ENTITIES=Lead,SalesOrder
ACUMATICA_ALLOWED_ATTACHMENT_ENTITIES=SalesOrder
ACUMATICA_ALLOWED_ACTIONS=SalesOrder/SalesOrderCreateShipment

Wildcard destructive allowlists should stay out of customer-connected or production-like environments except for short-lived sandbox QA.

Acumatica Data Touched

Read-only workflows can inspect approved customers, orders, shipments, purchase orders, inventory, CRM records, attachments metadata, or Generic Inquiry rows.

Write-enabled workflows may create or update records, attach files, delete records, or invoke Acumatica actions only when the specific tool path is approved.

Human Approval Point

The workflow owner approves the business step. The admin approves the MCP scope and allowlist. The user approves the prepared write, attachment, or action before execution.

For CRM and email workflows, keep outbound sends draft-only unless the team explicitly approves a send path. Lead creation, campaign attribution, tasks, email activities, opportunity conversion, and bulk imports should be treated as separate decisions.

Guardrail to Show

Read access and write access are separate decisions. Destructive operations are denied by default, and Acumatica permissions remain the final authorization layer even after a tool is exposed.

Good denied-action tests include deleting a customer, changing all prices for an item class, importing every enrichment result, sending a campaign sequence automatically, or invoking an action that is not on the action allowlist.

Guided Deployment

Bring one workflow your team repeats every week. We will decide whether the first version should be read-only, attachment-enabled, or write-enabled with a narrow approval path.

Request Free Guided Deployment