Friday, February 3, 2012

Role based Security in AX

There is a new pattern introduced in the new version of Dynamics AX (AX6.0/2012), for the security of the forms/tables etc. which is called RBS.

In Microsoft Dynamics AX, role-based security is aligned with the structure of the business. Users are assigned to security roles based on their responsibilities in the organization and their participation in business processes. The administrator grants access to the duties that users in a role perform, not to the program elements that users must use.


Let’s take a looks at the data models of the Security framework

Contains list of roles
Contains the user to role mappings 
(System Administration à Users à User)
Contains the list of duties and privileges
Contains the duty to privilege mappings
(AOTàSecurityà Dutiesà Privileges)
contains the list of role to duty mappings
(AOTàSecurityà RolesàDuties)

Some Examples

///////////////// Code in X++ /////////////////////////////

SecurityRole            securityRole;
SecurityUserRole        securityUserRole;
SecurityTask            securityTask;
SecuritySubTask         securitySubTask;
SecurityRoleTaskGrant   securityRoleTaskGrant;
// 1. How to the find record ID of the privilege
select firstOnly RecId from securityTask
    where securityTask.AotName  == #SecurityTask
        && securityTask.Type    == SecurityTaskType::Privilege;
// 2. How to find the record ID of the security role of the currently logged-in user aving the specified security role
select firstonly RecId from securityRole
    exists join securityUserRole
    where securityRole.RecId     == securityUserRole.SecurityRole
        && securityRole.AotName  == #SecurityRole
        && securityUserRole.User == curUserId();

// 3. How to the find all the duties containing the specified privilege (security Duty)?
select SecurityTask from securitySubTask
    where securitySubTask.SecuritySubTask == securityTask.RecId;

// 4. How to check whether the privilege is directly associated with role
select firstOnly RecId from securityRoleTaskGrant
    where securityRoleTaskGrant.SecurityTask  == securityTask.RecId
        && securityRoleTaskGrant.SecurityRole == securityRole.RecId;

// 5. How to check whether the privilege is associated with role through duty
 select RecId from securityRoleTaskGrant
    exists join securitySubTask
    where securityRoleTaskGrant.SecurityTask == securitySubTask.SecurityTask
            && securityRoleTaskGrant.SecurityRole == securityRole.RecId;
 ///////////////// Code in X++ /////////////////////////////


  1. How can we access the names of the privileges, duties and entry points? Thank you in advance.

  2. Hi, I am new to Microsoft dynamics ax 2012 and been assigned security. I have a bunch of test scripts from our consultants doing the implementation and I have to assign roles to the function that is in each test script. I am having a lot of difficulty in finding what script goes with what roles. For example a task of creating and item group. I know the permission is maintain item group but I cant find the duty that has that permission in it, therefore cant find the role it should go with. Is there any suggestions you may have? Anything will be greatly appreciated.


  3. By permission you mean to say the privilage ?? because usaully duty contains the privilage and roles contains the duties, ther is also a way to direct assign the privilage to role but that is the standard practice to doing this. If a privilage of maintain item group exist than it should also be somewhere in the duty or the role.

    And it possible that one duty binds to multiple roles, so you need to consult with the implementation team to ask the name of role. I assume that if there is new functionality added by the dev team that only privilage need to be created and put in a duty that already in some role.

  4. how can get the menu items from the roles I mean (roles -> duties -> privileges ->permissions(menu items)), I want to know the role I created \existing took which license ( enterprise or functional, task or self ...) I guess through menu items its possible. thanks in advance.

  5. is there any way to give permission to from control?

  6. Hi this is very interesting and helpfull. I know that it's maybe not the right place to ask for help but I really need some.
    I'm using Dynamics Ax 2012 R2 and I have some of new roles created and other modified ( added or removed duties and privileges ) and now I need a report(table) about my roles which contains the following columns:
    Role Name; Role AOT Name; Duty Name; Duty AOT Name; Privilege Name; Privilege AOT Name; Menu Item Name; License CAL;
    I've searched the net and the forums and I've found very similar scripts and codes which give Role Names with License Types or Entry Point With Licenses but I couldn't find some that suits my task.
    I have Security Development Tool and tried to sort this out manually, but after one role with more than 1000 privileges associated with it, it was clear that that cannot be done by hand :).
    I have tried to write some code using SysSecRoleEntryPointsTmp and SysUserLicenseMetadataTmp but with no luck. I couldn't manage to get all the fields in the report I need.
    So if someone can help me or give me some clue it will very helpfull for me and I'll value it a lot. Thanks in advance.

  7. Hello, this is a great article, but unfortunately I couldn't find the answer I was looking for. Can you help me, please?

    I have recently started working with the Dynamics Team at my employer's, and have been assigned the task of creating privileges, duties & corresponding roles. This is a huge task, and will take a couple of months if done manually by specifying access levels for each of the required Rich Client sub-nodes. I wanted to know, if we can import an Excel file to do the same thing? Or any other way that can significantly reduce the amount of clicking and waiting required for adding access levels? I have to specify access levels for privileges of almost all modules.