web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Understanding privileges
Finance | Project Operations, Human Resources, ...
Suggested Answer

Understanding privileges

(0) ShareShare
ReportReport
Posted on by junior AX 1,552

when i create a new menu item without creating any security privilege then:

1. By default it's seen by any user regardless of it's role? 

2. If i create a privilege for this menu item and assign it to role x ... If the answer to the first question was yes, then by assigning it to ceratin roles, does this automatically make the menu item only visible to these roles?

3. can i assign the privilege to a role from the system itself, not from AOT?

4. when i put the access DELETE for this menu item, does that mean if there were possibility to delete records in this form then u can do that?

5. If i have a menu item for a batch, when clicked it deletes records from a table. Then the access level for this should not be delete right? because i'm only clicking a button so would read be enough?

I have the same question (0)
  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    1. Only System administrator role has access to menu items that are not associated with privilege(s). You can test this easily yourself.

    2. Only the role which contains the privilege can access it.

    3. You can do it in Security configuration form. With Visual Studio you can use source control, can see change history, deploy easily with other customizations, and can easily control and audit all changes. If you do changes via Security Configuration, you don't need a developer but you have less tools for application lifecycle management. You need to make a conscious decision and understand implications of your choice.

    4. Yes, Delete access allows you to delete records. But only if the author (developer) of the table/form decided that it's supported.

    5. For Action menu items you can use access level Invoke. Everything that the batch does is included in the privilege, unless there are tables where AOSAuthorization property is used: https://docs.microsoft.com/en-us/dynamicsax-2012/developer/aosauthorization-property-on-tables

    In general, you can find most of this info (and much more) also by testing yourself.

  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,035 Super User 2025 Season 2 on at

    Hi Junior AX,

    Nikolaos already provided the correct answers. One addition on your third question.

    If you are using the Security configuration, then you can still trace the changes, but only by comparing the audit trail which you can open from this same role. You can also move the security objects between environments.

    One advantage of using the configuration, is that you are not dependent on a moment to install a deployable package. You can do this directly at any point in time.

    However, if you make configuration changes, it will not be visible in the AOT as the application and development have been separated.

  • junior AX Profile Picture
    junior AX 1,552 on at

    Thanks alot both of you.

    - In point 4, you mentioned that deleting records only if developer of the table/form decided it's supported.

    How can i decide if it's not supported. I mean on the form data source there is allow delete,allow create and allow edit? those are which decide if it's supported?

    How about tables? is the AOS authorization property u mentioned in point 5 determines so?... or is the form enough because the table is inside the form?

    - In point 5, there is no Invoke access level, only  No access,read,create,update,delete and correct

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    4) Yes, it's controlled by AllowDelete of form data source. AllowDelete can also be restricted in x++ code for some records of the table, based on the data. For example it's not possible to delete a sales order that is invoiced. In addition to that, table relations can have "OnDeleted:Restricted" to prevent you from deleting data. For example you can't delete a customer group if some customer is linked to it.

    5) If AOSAuthorization is required for the operation (such as delete), your privilege must include table permission ("Permissions" node in the privilege for deleting that table.

    I encourage you again to play around and test by yourself!

  • junior AX Profile Picture
    junior AX 1,552 on at

    I will add my other email as a user and test myself

    one last thing in point 5:

    - Does that mean that it's enough to only put the menu item as an entry point in privilege without filling the permissions node. and if the access is delete i can do anything with the batch?? (I still can't find Invoke access level.. i used for the batch SysoperationService)

    But if my menu item of the form has a table that has AOS authroization property other than than "none", let's say Delete then i need to add  the table as permission in the permission node of the privilege or i won't be able to delete? i mean the entry point access level delete of the menu item won't be enough?

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    You can type "Invoke" manually in the privilege, even though it's not available in the lookup. But I assume Delete will work as well.

    And yes, if AOSAuthorization is None, then you need to grant table permissions. Just try it yourself!

  • junior AX Profile Picture
    junior AX 1,552 on at

    I put the entry point only without any permission and AOS is none.

    When the access level was Read or delete i was able to delete recrods using the batch. How come? 

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    For services you really have only "access" or "no access". There is no "can execute this code, but if there's delete call inside it, it should not be allowed". That would not make sense.

    So, apparently also "Read" access to a service allows you to run it.

    To keep it clearer, I like to use "Invoke" as mentioned.

  • junior AX Profile Picture
    junior AX 1,552 on at

    So if i put AOS delete the privilege would still work but if i put AOS read, the privilege won't work right, even if it was delete? or the service access would still work regardless of AOS?

    One more thing, I also put the table as permission and i put access level as delete (no AOS), but when i put the url for the table itself it says i don't have enough permissions why?

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    In AX2012 you could choose between "Invoke" and "NoAccess" for service operations:

    docs.microsoft.com/.../security-privilege-properties

    So, I  guess in D365FO "No access" means "No access" and everything else corresponds to "Invoke" (which you can still use, but it's not shown in the lookup)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 565 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 450 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 250 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans