Today, I will be discussing about XDS feature in D365 F&O. Microsoft introduced a  framework namely extensible data security as a evolution to record level security of AX 2012.

Extensible Data Security framework is used for securing shared data in order to give users the access to show only that part of table data which is allowed by enforced  policy.

Let's take an example of Custgroup Form. We have a particular customer group with value 10 and  we want to show only sales orders of customer group 10 to user . For this purpose we will be implementing extensible data security framework.

Note: Security policies does not work for system administrators role.

Below is the data showing all sales orders with different customer groups on Sales table form.


Following are setups required for developing XDS.

Step 1) Create a query to filter records on primary table in my case it is CustGroup table. So CustGroup table will be added as data source and we will apply range of value 10 on it.









Step 2) Create a policy and set following properties on it.
  • Constraint table : Set value to Yes if you want your primary table to be secured using this policy.
  • Primary table : Custgroup will be set as its value
  • Query : Set CustGroupXDS query as its value.
  • Enabled : Set its value to yes if you want to enforce policy by this extensible data security on run time.










Step 3) Create a new role or using existing one. For demo purpose I have created a new role and added existing privileges in it for binding with context type.
















Step 4) Add the constrained table or views. In my case it is Sales table and Sales line.

Note : When you are adding a constrained table, you must also choose the relationship to be used to join the primary table with this constrained table. 










Step 5) Setting the context.
There are three different type of context types.
  • Context string : Use it if a context is used to determine whether the policy should be applied. Whenever it is required this context string needs to be set by the application using the XDS:SetContextAPI.
  • RoleName : Use it if the policy requires to be implemented only for a user in a specific role that accesses the constrained tables.
  • RoleProperty : Use it if the policy is to be applied only if user is a member of any one of a set of roles that have the context string property set to the same value.
So we will set Contexttype and role name here.











Step 6) Add newly created role to the user. By going on System administrator -> Select Users -> Edit it -> Assign role










Step 7) Final output. Only sales orders with customer group 10 will be shown to user. :)